Cyber Resilience

CVE-2025-3839

High

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0002 5.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3839 is a high-severity Product UI does not Warn User of Unsafe Actions (CWE-356) vulnerability. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-3839 is a vulnerability in Epiphany, a web browser that enables websites to launch external URL handler applications with minimal user interaction and without adequate warnings or gating. This design flaw, classified under CWE-356, allows attackers to exploit vulnerabilities in those handlers by leveraging the browser's trusted UI behavior, potentially resulting in code execution on the client device. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-01-23.

Remote attackers require no privileges to target victims over the network, but exploitation demands high complexity and user interaction, such as clicking a malicious link. Success changes the attack scope and achieves high impacts on confidentiality and integrity, enabling code execution through the invoked external handlers that appear as legitimate browser actions.

Red Hat advisories detail mitigations and patches for this issue, available at https://access.redhat.com/security/cve/CVE-2025-3839, with further technical discussion in the Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2361430.

EU & UK References

Vulnerability details

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails…

more

to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Browser flaw enables seamless external handler launch via malicious links, directly facilitating user execution after phishing link interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25805Shared CWE-356
CVE-2025-2450Shared CWE-356

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the design flaw in Epiphany by requiring timely patching of the browser vulnerability as detailed in Red Hat advisories.

prevent

Enforces secure browser configuration settings to require user warnings or explicit gating before launching external URL handlers from web content.

prevent

Limits browser functionality to essential capabilities, prohibiting or restricting non-essential external URL handler invocations that could be exploited.

References