Description
Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to cause a denial of service by exploiting a flaw in the XML component of the software. The flaw was addressed in later releases, so the primary impact is service interruption that can affect users who rely on the affected application for everyday tasks. This issue is categorized as a resource exhaustion weakness and a privilege escalation limit violation, which are reflected by the assigned CWE identifiers.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Users running any unsupported version prior to 149 are at risk. The exact range of vulnerable versions is not listed, but the advisory indicates that Firefox 149 and Thunderbird 149 contain the fix. Any installation of a product version earlier than these releases should be considered vulnerable.

Risk and Exploitability

The reported CVSS score of 7.5 indicates a high severity of this denial‑of‑service condition. The EPSS score is below 1%, indicating that exploitation is unlikely to be widespread, and the vulnerability is not flagged in the CISA KEV catalog. The most probable attack vector is local, as the description does not detail a network trigger, so an attacker would need access to the user’s system or a way to supply crafted XML to the component.

Generated by OpenCVE AI on April 13, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for Mozilla Firefox (version 149 or newer).
  • Apply the latest update for Mozilla Thunderbird (version 149 or newer).

Generated by OpenCVE AI on April 13, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-776
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

threat_severity

Low

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the XML component. This vulnerability affects Firefox < 149. Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the XML component. This vulnerability affects Firefox < 149.
Title Denial-of-service in the XML component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:05.682Z

Reserved: 2026-03-23T23:22:51.463Z

Link: CVE-2026-4726

cve-icon Vulnrichment

Updated: 2026-03-25T17:47:49.528Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.473

Modified: 2026-04-13T15:17:45.073

Link: CVE-2026-4726

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-24T12:30:40Z

Links: CVE-2026-4726 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:51Z

Weaknesses