Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw allows an attacker to bypass a security mitigation built into the DOM component of Mozilla products. The vulnerability was addressed in Firefox 152 and Thunderbird 152 and carries a CVSS score of 9.1, reflecting a critical weakness that violates the intended protection mechanism, as classified by CWE‑693 and CWE‑358.

Affected Systems

All versions of Mozilla Firefox and Mozilla Thunderbird released before version 152 are potentially affected. The fix is delivered in the 152 releases of both products, meaning any older build remains vulnerable until updated.

Risk and Exploitability

The EPSS score of less than 1% and absence from the CISA KEV catalog suggest that exploitation is not widely observed today, yet the high CVSS score indicates a severe risk if discovered. Based on the description, it is inferred that the attack likely requires the delivery of crafted content—such as a malicious web page or email that causes the DOM security component to misbehave, potentially leading to code execution or privilege escalation within the context of the user’s profile.

Generated by OpenCVE AI on June 25, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 152 or newer
  • Upgrade to Thunderbird 152 or newer
  • Disable or uninstall any extensions or custom settings that modify DOM behavior until the patch is applied

Generated by OpenCVE AI on June 25, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:45:00 +0000


Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
References

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152.
Title Mitigation bypass in the DOM: Security component
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T18:24:42.459Z

Reserved: 2026-06-15T15:08:17.309Z

Link: CVE-2026-12316

cve-icon Vulnrichment

Updated: 2026-06-16T18:23:35.315Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:32.257

Modified: 2026-06-16T20:16:28.293

Link: CVE-2026-12316

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:52:49Z

Links: CVE-2026-12316 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:30:15Z

Weaknesses
  • CWE-358

    Improperly Implemented Security Check for Standard

  • CWE-693

    Protection Mechanism Failure