Description
Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

This vulnerability allows an attacker to read potentially sensitive data handled by the Networking component of Mozilla’s desktop applications. The flaw permits unauthorized disclosure of information that the application processes, which could include user credentials, session identifiers, or other private data transmitted over the network. The weakness is catalogued as CWE-200, indicating that exposed data can be accessed by an unauthenticated user.

Affected Systems

The flaw impacts Mozilla’s Firefox and Thunderbird clients, including both standard and Extended Support Release versions. Versions up to and excluding Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7 are affected. Users running older releases of these browsers or email clients are therefore at risk.

Risk and Exploitability

The CVSS score of 5.3 places this flaw in the moderate range of severity, but the EPSS score of less than 1% suggests that exploitation is unlikely. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers could exploit the vulnerability through network-based means, such as sending crafted packets or manipulating the data flow within the client, though no specific exploit has been publicly documented. The primary protection is to prevent unauthorized access to the application’s networking module, which the vendor mitigates through the patched releases.

Generated by OpenCVE AI on April 15, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 147 or newer, or to Firefox ESR 140.7 or newer, to receive the fix for the networking information disclosure flaw.
  • Upgrade to Thunderbird 147 or newer, or to Thunderbird ESR 140.7 or newer, to eliminate the disclosure issue.
  • After updating, restart the applications so that the updated networking components are loaded and active.

Generated by OpenCVE AI on April 15, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Information disclosure in the Networking component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7. Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Information disclosure in the Networking component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7.
Title Information disclosure in the Networking component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:51.032Z

Reserved: 2026-01-13T13:30:55.877Z

Link: CVE-2026-0883

cve-icon Vulnrichment

Updated: 2026-01-13T15:47:29.531Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:38.853

Modified: 2026-04-13T15:17:17.223

Link: CVE-2026-0883

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T13:30:56Z

Links: CVE-2026-0883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses