Description
Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.
Published: 2026-03-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Same-origin policy bypass
Action: Patch promptly
AI Analysis

Impact

The vulnerability stems from a flaw in Firefox’s CSS parsing and computation component that allows a malicious website to bypass the same-origin policy. Based on the description, it is inferred that an attacker may read or modify resources that should be protected by cross-origin restrictions, potentially compromising the confidentiality or integrity of user data. The weakness is classified as CWE‑346, indicating an access control violation inherent in the browser’s handling of CSS.

Affected Systems

Mozilla Firefox versions earlier than 148.0.2 are affected. All builds of Firefox that match the Mozilla:Firefox product entry are vulnerable until the 148.0.2 release applies the fix.

Risk and Exploitability

The CVSS base score of 6.5 denotes a moderate risk level. The EPSS score of less than 1% indicates that, as of now, the probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a web page that a user visits, delivering specially crafted CSS that triggers the bypass. Successful exploitation would occur entirely in the victim’s browser without any additional user interaction beyond normal browsing.

Generated by OpenCVE AI on April 15, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 148.0.2 or newer.
  • Deploy the updated Firefox package across all managed devices.
  • Monitor browser logs for unexpected CSS parsing errors that may signal exploitation attempts.

Generated by OpenCVE AI on April 15, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability affects Firefox < 148.0.2. Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.

Wed, 11 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability affects Firefox < 148.0.2.
Title Same-origin policy bypass in the CSS Parsing and Computation component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:54:04.223Z

Reserved: 2026-03-09T19:33:22.195Z

Link: CVE-2026-3846

cve-icon Vulnrichment

Updated: 2026-03-10T17:44:03.112Z

cve-icon NVD

Status : Modified

Published: 2026-03-10T18:19:05.673

Modified: 2026-04-13T15:17:34.970

Link: CVE-2026-3846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses