Description
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to bypass the same‑origin policy in the Networking: Cookies component. By exploiting the flaw, the attacker can read cookies that normally belong to a different website domain, potentially enabling session hijacking or the theft of user data. The weakness is classified as CWE‑346, which denotes an authentication bypass that is enabled by a user‑controlled key.

Affected Systems

The affected software includes Mozilla Firefox versions prior to 152 and Firefox ESR 140.12, as well as Mozilla Thunderbird prior to 152 and Thunderbird ESR 140.12. All installations of these browsers that have not applied the available update are vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a severe risk, yet the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is client‑side; an attacker would need to deliver malicious content or scripts that trigger the cookie lookup logic. While the flaw does not grant direct code execution, the ability to read cross‑origin cookies can lead to significant confidentiality breaches if an attacker obtains session tokens or other sensitive data.

Generated by OpenCVE AI on June 17, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 152 or later, or to Firefox ESR 140.12 or later.
  • Update Mozilla Thunderbird to version 152 or later, or to Thunderbird ESR 140.12 or later.
  • If an immediate update is not possible, temporarily restrict cookie access in the browser configuration by setting "network.cookie.cookieBehavior" to 2 to prevent cross‑origin cookie reads.

Generated by OpenCVE AI on June 17, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Same-origin policy bypass in the Networking: Cookies component
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T18:55:05.212Z

Reserved: 2026-06-15T15:08:12.234Z

Link: CVE-2026-12304

cve-icon Vulnrichment

Updated: 2026-06-16T18:48:15.088Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:30.643

Modified: 2026-06-16T20:16:27.673

Link: CVE-2026-12304

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:52:37Z

Links: CVE-2026-12304 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:00:04Z

Weaknesses