Description
Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious script to escape the isolated sandbox that isolates workers in the Document Object Model. This sandbox escape gives an attacker the same privileges as the privileged browser or email client process, enabling unrestricted access to system resources and execution of arbitrary code.

Affected Systems

Vendors affected Builds that do not include the fix are any Firefox releases older than 152, ESR 140.12, or ESR 115.37, and any Thunderbird releases older than 152 or 140.12. Users running those legacy versions are vulnerable until they apply the security update.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical severity, while the EPSS score of < 1% suggests a very low probability of exploitation in the near term and the vulnerability is not listed in the CISA KEV catalog. Exploit scenarios involve delivery of malicious content—such as a compromised website or phishing email—to a user’s browser or Thunderbird instance, leading to a privilege‑escalating sandbox escape and potentially full system compromise.

Generated by OpenCVE AI on June 18, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 152, ESR 140.12, ESR 115.37, Thunderbird 152, or Thunderbird 140.12 or newer releases that contain the fix
  • If an immediate upgrade is not possible, disable untrusted worker script loading or enforce stricter content security policies for domains that rely on workers
  • Apply the latest operating system and library updates that provide sandbox enforcement to minimize the risk of other related vulnerabilities

Generated by OpenCVE AI on June 18, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title Sandbox escape in the DOM: Workers component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T16:11:13.267Z

Reserved: 2026-06-15T15:08:07.929Z

Link: CVE-2026-12294

cve-icon Vulnrichment

Updated: 2026-06-18T14:23:34.957Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:29.643

Modified: 2026-06-16T17:16:33.307

Link: CVE-2026-12294

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:27Z

Links: CVE-2026-12294 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-693

    Protection Mechanism Failure