{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4726", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:51.463Z", "datePublished": "2026-03-24T12:30:40.673Z", "dateUpdated": "2026-03-25T18:07:57.815Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149."}]}], "title": "Denial-of-service in the XML component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955311"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "credits": [{"lang": "en", "value": "Hanno Boeck"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:50.228Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:47:28.003534Z", "id": "CVE-2026-4726", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T18:07:57.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4726", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:47:28.003534Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:47:49.528Z"}}], "cna": {"title": "Denial-of-service in the XML component", "credits": [{"lang": "en", "value": "Hanno Boeck"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "149", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "149", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955311"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "descriptions": [{"lang": "en", "value": "Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "supportingMedia": [{"type": "text/html", "value": "Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:50.228Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4726", "state": "PUBLISHED", "dateUpdated": "2026-03-25T18:07:57.815Z", "dateReserved": "2026-03-23T23:22:51.463Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-24T12:30:40.673Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B", "versionEndExcluding": "149.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "40FE4697-89F1-46F6-8E28-41883647583B", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149."}, {"lang": "es", "value": "Denegaci\u00f3n de servicio en el componente XML. Esta vulnerabilidad afecta a Firefox &lt; 149 y Thunderbird &lt; 149."}], "id": "CVE-2026-4726", "lastModified": "2026-03-25T20:55:35.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T13:16:08.473", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955311"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Denial-of-service in the XML component", "id": "2450731", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450731"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-776", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nDenial-of-service in the XML component"], "name": "CVE-2026-4726", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T12:30:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4726\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4726\nhttps://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4726"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-03-25T20:29:27.931990+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 149 or newer", "Upgrade to Thunderbird 149 or newer", "Monitor Mozilla security advisories for future patches"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox versions earlier than 149 and Mozilla Thunderbird earlier than 149 are affected. The vulnerable component is the XML parser used in these products.", "description_and_impact": "The vulnerability is a denial\u2011of\u2011service condition in the XML parsing component. It allows an attacker to cause the application to consume excessive resources or crash while processing XML data. This weakness is linked to CWE\u2011400 (Uncontrolled Resource Consumption) and CWE\u2011776 (Use After Free). The effect is that legitimate users are denied service or usability of the affected application without enabling arbitrary code execution or data leakage.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a moderate to high severity. The EPSS score is below 1\u202f%, suggesting a low probability of widespread exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attack is likely triggered by feeding a specially crafted XML document to Firefox or Thunderbird, such as via a web page, local file, or email attachment; the exact vector is not specified, but remote exploitation is inferred if the parser is exposed to untrusted content. The impact is limited to denial of service rather than privilege escalation or data exfiltration."}}}}, "created": "2026-03-25T11:47:48.980987+00:00", "updated": "2026-03-25T20:50:26.785606+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}