Description
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a clickjacking flaw in the Widget: Gtk component used by Mozilla's Firefox and Thunderbird. It allows an attacker to embed content that tricks users into interacting with hidden controls, potentially leading to unintended actions. The weakness is classified as CWE‑1021, reflecting UI deception. The CVSS score of 5.4 indicates a moderate impact.

Affected Systems

Both Firefox and Thunderbird are affected until the release of version 152, which contains a patch. All earlier releases are vulnerable. The vulnerability is present in all platforms where the Gtk widget is enabled, including desktop Windows, macOS, and Linux distributions that ship those browsers.

Risk and Exploitability

The EPSS score is less than 1 %, suggesting a low probability of exploitation in the wild, and the flaw is not listed in CISA's KEV catalog. Attackers would need to lure a user into interacting with a page containing the widget; authentication or elevated privileges are not required. Because the issue is a UI deception flaw, the primary risk is to user integrity and to information disclosed through unintended actions.

Generated by OpenCVE AI on June 17, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 152 or later
  • Update Thunderbird to version 152 or later
  • Enable clickjacking protection settings such as Content Security Policy or X-Frame-Options in the browser configuration
  • Educate users to recognize and avoid suspicious embedded content

Generated by OpenCVE AI on June 17, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:45:00 +0000


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152. Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
References

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.
Title Clickjacking issue in the Widget: Gtk component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T18:00:55.637Z

Reserved: 2026-06-15T15:08:19.905Z

Link: CVE-2026-12322

cve-icon Vulnrichment

Updated: 2026-06-16T15:33:38.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:32.937

Modified: 2026-06-16T20:41:44.860

Link: CVE-2026-12322

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-16T11:52:55Z

Links: CVE-2026-12322 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames