CVE-2025-3839

High

Published: 23 January 2026

Published

23 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0002 4.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3839 is a high-severity Product UI does not Warn User of Unsafe Actions (CWE-356) vulnerability. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious Link (T1204.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the design flaw in Epiphany by requiring timely patching of the browser vulnerability as detailed in Red Hat advisories.

CM-6 Configuration Settings partial match

prevent

Enforces secure browser configuration settings to require user warnings or explicit gating before launching external URL handlers from web content.

CM-7 Least Functionality partial match

prevent

Limits browser functionality to essential capabilities, prohibiting or restricting non-essential external URL handler invocations that could be exploited.

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

Browser flaw enables seamless external handler launch via malicious links, directly facilitating user execution after phishing link interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails…

to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.

Deeper analysisAI

CVE-2025-3839 is a vulnerability in Epiphany, a web browser that enables websites to launch external URL handler applications with minimal user interaction and without adequate warnings or gating. This design flaw, classified under CWE-356, allows attackers to exploit vulnerabilities in those handlers by leveraging the browser's trusted UI behavior, potentially resulting in code execution on the client device. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-01-23.

Remote attackers require no privileges to target victims over the network, but exploitation demands high complexity and user interaction, such as clicking a malicious link. Success changes the attack scope and achieves high impacts on confidentiality and integrity, enabling code execution through the invoked external handlers that appear as legitimate browser actions.

Red Hat advisories detail mitigations and patches for this issue, available at https://access.redhat.com/security/cve/CVE-2025-3839, with further technical discussion in the Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2361430.

Details

CWE(s): CWE-356

CVEs Like This One

CVE-2026-25805Shared CWE-356

CVE-2025-2450Shared CWE-356

References

https://access.redhat.com/security/cve/CVE-2025-3839
patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2361430
patrick@puiterwijk.org