CVE-2026-9053

Vulnerability

Mothra, the Plan 9 web browser, has a vulnerability in its HTML forms parser (sys/src/cmd/mothra/forms.c). When a website specifies a default value for the INPUT element of type file, Mothra would accept that default file path without clearing it. The bug existed in all affected versions prior to commit d145acc9 (2026-05-22). The fix ensures that the file input value is set to an empty string, preventing websites from controlling the default file path. [1]

Exploitation

An attacker who controls a website visited by a user running a vulnerable version of Mothra can craft a malicious HTML form with an INPUT element of type file and a pre-set default file path (e.g., using the value attribute). The attacker can hide the form element using CSS or other techniques. When the user submits the form (which may happen automatically or with minimal interaction, such as clicking a button that is not obviously a file upload), Mothra uses the default file path provided by the attacker instead of requiring the user to select a file. This bypasses the usual file dialog that would require user consent. [1]

Impact

A successful exploit allows the attacker to exfiltrate arbitrary files from the victim's system without the victim's awareness or consent. The file is sent to the attacker's server as part of the form submission. The severity is medium because the user must still visit the malicious website and submit the form, but the attacker can disguise the file upload to avoid suspicion. [1]

Mitigation

The vulnerability was fixed in the commit d145acc9 on 2026-05-22 by adding the line *f->value = '\0'; inside the file case block, clearing any default value. Users should update their 9front or Plan 9 system to a version that includes this commit. There is no known workaround for unpatched systems. The vulnerability is not listed in the CISA KEV catalog as of the publication date. [1]