Description
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows a malicious actor to spoof or alter DOM elements within the browser’s core and HTML handling components. As a result, a user visiting a compromised or malicious web page could see altered page content or navigation, potentially facilitating social engineering, phishing, or other deception attacks. The weakness, classified as CWE‑1021, arises from improper handling of DOM input, enabling such spoofing without user interaction.

Affected Systems

Mozilla products Firefox and Thunderbird are affected. Versions prior to Firefox 152 and Thunderbird 152 contain the bug; the issue was patched in those releases. Any installation of these browsers older than the stated versions is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4, indicating a moderate impact. The EPSS score is reported as less than 1 %, showing a very low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. Attackers would most likely exploit this via a malicious web page loaded in the browser, inferring that the vector is web‑based; however, the official description does not explicitly state the vector, so this inference is marked as such.

Generated by OpenCVE AI on June 17, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 152 or newer or later
  • Update Thunderbird to version 152 or newer or later
  • Limit or block loading of untrusted content and disable extensions that manipulate the DOM until the patch is available

Generated by OpenCVE AI on June 17, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:45:00 +0000


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152. Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152.
Title Spoofing issue in the DOM: Core & HTML component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:43.582Z

Reserved: 2026-06-15T15:08:20.648Z

Link: CVE-2026-12323

cve-icon Vulnrichment

Updated: 2026-06-16T14:55:48.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:33.043

Modified: 2026-06-16T20:42:26.287

Link: CVE-2026-12323

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-16T11:52:56Z

Links: CVE-2026-12323 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames