Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability enables the bypass of the DOM security component in Mozilla products. The impact is that the protection mechanisms meant to guard against malicious DOM manipulation can be circumvented, exposing the system to further compromise. The weakness is classified as CWE-693 and CWE-807, indicating improper authorization and related restrictions.

Affected Systems

The bug affects Mozilla Firefox and Mozilla Thunderbird versions prior to Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird ESR 140.12. Users running earlier versions are vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity, while the EPSS score of < 1% suggests a low likelihood of exploitation today. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is likely remote, involving malicious web content or email attachments that manipulate the DOM. If exploited, the attacker could override security checks, potentially leading to code execution or other privileges.

Generated by OpenCVE AI on June 18, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox ESR 140.12 or newer).
  • Upgrade Mozilla Thunderbird to version 152 or newer (or ESR 140.12 or newer).
  • If an immediate upgrade is not feasible, consider disabling or limiting script execution in browser settings as a temporary measure until the patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Mitigation bypass in the DOM: Security component
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T18:26:13.133Z

Reserved: 2026-06-15T15:08:16.927Z

Link: CVE-2026-12315

cve-icon Vulnrichment

Updated: 2026-06-16T18:25:59.032Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:32.147

Modified: 2026-06-16T20:16:28.140

Link: CVE-2026-12315

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:52:48Z

Links: CVE-2026-12315 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure

  • CWE-807

    Reliance on Untrusted Inputs in a Security Decision