Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Published: 2026-02-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass potentially enabling arbitrary code execution
Action: Patch Immediately
AI Analysis

Impact

A bypass of security controls in the DOM: Security component has been identified, rated with a CVSS score of 9.8. The vulnerability allows a malicious entity to circumvent established authorization checks, potentially enabling the execution of unauthorized code or content. This high‑severity weakness is classified under CWE‑288, indicating a failure to enforce or verify proper privileges. No explicit details are provided in the description, so the exact mechanics remain unspecified, but the impact is clear: the bypass can compromise both confidentiality and integrity of the affected applications.

Affected Systems

Mozilla products are affected. The issue is fixed in Firefox 148 and the ESR 140.8 branch, as well as in Thunderbird 148 and Thunderbird 140.8. Versions older than these should be considered vulnerable until patched.

Risk and Exploitability

The EPSS score of less than 1% suggests a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Despite this, the remote impact and the severity rating call for urgent action. Attackers would need to entice a user into loading malicious content or exploit a web page that interacts with the vulnerable component; the precise attack path is not detailed, so the likely vector is inferred to involve client‑side DOM manipulation or crafted web content that triggers the bypass. Even with low observed exploitation, the combination of high CVSS and critical functional impact warrants immediate remediation.

Generated by OpenCVE AI on April 15, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 148 or the ESR 140.8 release, and upgrade Thunderbird to version 148 or the ESR 140.8 release
  • Remove or disable any add‑ons or extensions that may interact with the DOM: Security component and have not been updated to support compatible versions
  • Apply vendor‑issued security updates promptly and monitor Mozilla advisories for related patches or additional controls

Generated by OpenCVE AI on April 15, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4495-1 thunderbird security update
Debian DLA Debian DLA DLA-4496-1 firefox-esr security update
Debian DSA Debian DSA DSA-6148-1 firefox-esr security update
Debian DSA Debian DSA DSA-6152-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mon, 02 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 28 Feb 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288

Wed, 25 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8. Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Title Mitigation bypass in the DOM: Security component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-16T14:32:57.551Z

Reserved: 2026-02-19T15:06:19.739Z

Link: CVE-2026-2784

cve-icon Vulnrichment

Updated: 2026-02-28T03:13:43.105Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:26.847

Modified: 2026-04-13T15:17:26.317

Link: CVE-2026-2784

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T13:33:17Z

Links: CVE-2026-2784 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses