Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Browser DOM security component bypass
Action: Immediate Patch
AI Analysis

Impact

Firefox and Thunderbird contain a flaw that can bypass built‑in DOM security checks. The effect is that a malicious script could run in the browser context. Based on the description, it is inferred that this could enable theft of user data, credential compromise, or further malicious activity, although the official CVE text does not explicitly state these outcomes. The vulnerability was fixed in Firefox 147, Firefox ESR 115.32, 140.7, Thunderbird 147, and Thunderbird 140.7.

Affected Systems

All Mozilla Firefox releases below version 147, all ESR builds before 115.32 and 140.7, and all Mozilla Thunderbird releases below version 147 or ESR builds below 140.7 are vulnerable. Versions 147 and later, ESR 115.32 or 140.7 and later are secure.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity, while the EPSS score is <1%, showing a very low exploitation probability. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is a malicious web page or email containing crafted content that targets the DOM security component; exploitation would require user interaction such as visiting the page or opening the message.

Generated by OpenCVE AI on April 15, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 147 or ESR 115.32/140.7 and Thunderbird to version 147 or ESR 140.7 or later
  • If an upgrade is not possible, uninstall or disable older Firefox or Thunderbird installations to prevent execution of vulnerable software
  • Apply the latest security patches as listed in Mozilla release notes and monitor advisories for any additional mitigation steps

Generated by OpenCVE AI on April 15, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7. Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 13 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
Title Mitigation bypass in the DOM: Security component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:38.648Z

Reserved: 2026-01-13T13:30:52.762Z

Link: CVE-2026-0877

cve-icon Vulnrichment

Updated: 2026-01-13T15:25:37.265Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:38.270

Modified: 2026-04-13T15:17:15.810

Link: CVE-2026-0877

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-13T13:30:52Z

Links: CVE-2026-0877 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses