Description
Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
Published: 2025-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via cross‑origin script load events
Action: Patch promptly
AI Analysis

Impact

A vulnerability causes script elements that load resources from other origins to emit load and error events that leak status information. This leakage can be exploited to perform XS‑Leaks attacks, allowing an attacker to discover whether a cross‑origin resource exists, its status, or whether a request succeeded or failed. The primary consequence is unauthorized disclosure of information about remote resources, which could assist in crafting further attacks. The weakness is classified as CWE‑200 (Information Exposure).

Affected Systems

Mozilla Firefox before version 139 and Firefox ESR before 128.11 are affected, as are Mozilla Thunderbird before version 139 and Thunderbird ESR before 128.11. No specific Red Hat product versions are directly cited as vulnerable, but the listed CPEs imply broader system compatibility for these packages.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests the probability of exploitation is very low at present. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a malicious web site that hosts a script element pointing to a cross‑origin resource; the attacker can then observe the emission of load or error events to infer status information. No privilege escalation or code execution is possible, but the disclosed information could assist in other phishing or reconnaissance activities.

Generated by OpenCVE AI on April 20, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to at least version 139 or Firefox ESR 128.11, and upgrade Mozilla Thunderbird to at least version 139 or Thunderbird ESR 128.11.
  • Enable automatic updates for all Mozilla products to ensure future patches are applied with minimal delay.
  • Apply a strict Content Security Policy that limits script sources to trusted origins, which reduces the potential for cross‑origin script load events to leak sensitive status information.
  • Monitor official Mozilla advisories for any additional mitigation steps or updates on affected platforms.

Generated by OpenCVE AI on April 20, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4191-1 firefox-esr security update
Debian DLA Debian DLA DLA-4194-1 thunderbird security update
Debian DSA Debian DSA DSA-5926-1 firefox-esr security update
Debian DSA Debian DSA DSA-5932-1 thunderbird security update
EUVD EUVD EUVD-2025-18107 Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Script element events leaked cross-origin resource status Script element events leaked cross-origin resource status

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Mon, 16 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Wed, 11 Jun 2025 12:15:00 +0000

Type Values Removed Values Added
Description Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11. Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
References

Tue, 10 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_tus:8.6
cpe:/a:redhat:rhel_tus:8.8
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel E4s
Redhat rhel Eus

Wed, 04 Jun 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Thu, 29 May 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Thu, 29 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Script element events leaked cross-origin resource status
Weaknesses CWE-829
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 27 May 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 12:45:00 +0000

Type Values Removed Values Added
Description Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11.
References

Subscriptions

Mozilla Firefox
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:08.538Z

Reserved: 2025-05-27T12:29:24.726Z

Link: CVE-2025-5266

cve-icon Vulnrichment

Updated: 2025-11-03T20:06:04.324Z

cve-icon NVD

Status : Modified

Published: 2025-05-27T13:15:22.403

Modified: 2026-04-13T15:17:04.210

Link: CVE-2025-5266

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-05-27T12:29:25Z

Links: CVE-2025-5266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses