{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4728", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:54.953Z", "datePublished": "2026-03-24T12:30:41.773Z", "dateUpdated": "2026-03-25T19:49:27.971Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149."}]}], "title": "Spoofing issue in the Privacy: Anti-Tracking component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013179"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "credits": [{"lang": "en", "value": "Aswinkumar Gokulakannan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:51.796Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:13:55.853926Z", "id": "CVE-2026-4728", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:49:27.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:13:55.853926Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:15:09.923Z"}}], "cna": {"title": "Spoofing issue in the Privacy: Anti-Tracking component", "credits": [{"lang": "en", "value": "Aswinkumar Gokulakannan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "149", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "149", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013179"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:51.796Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4728", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:49:27.971Z", "dateReserved": "2026-03-23T23:22:54.953Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-24T12:30:41.773Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC415708-0D12-42F6-801D-6884F4F01CD9", "versionEndExcluding": "149.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "98D01327-B65C-4FE2-8BBE-98C3555CF8E0", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149."}, {"lang": "es", "value": "Problema de suplantaci\u00f3n en el componente de Privacidad: Anti-Rastreo. Esta vulnerabilidad afecta a Firefox &lt; 149 y Thunderbird &lt; 149."}], "id": "CVE-2026-4728", "lastModified": "2026-03-25T20:55:15.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T13:16:08.680", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013179"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Spoofing issue in the Privacy: Anti-Tracking component", "id": "2450717", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450717"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-290", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nSpoofing issue in the Privacy: Anti-Tracking component"], "name": "CVE-2026-4728", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T12:30:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4728\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4728\nhttps://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4728"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-03-25T13:22:14.629463+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of Firefox or Thunderbird, reading the change log and applying the patch as soon as it is available.", "If an upgrade is not immediately possible, disable the Privacy: Anti\u2011Tracking component or manually re\u2011enable anti\u2011tracking settings to ensure they remain accurate.", "Monitor browser logs for unusual anti\u2011tracking configuration changes and verify that privacy notices match actual behavior.", "Stay informed by visiting Mozilla\u2019s security advisories and applying patches as soon as they are released."], "summary": {"action": "Monitor", "impact": "Spoofing"}, "threat_synthesis": {"affected_systems": "Both Firefox and Thunderbird browsers are affected, but only versions earlier than 149 are vulnerable. This includes all releases of Firefox prior to 149 and Thunderbird releases before 149. Users of these products should check version numbers and apply updates as soon as they become available.", "description_and_impact": "The vulnerability is a spoofing flaw in Mozilla\u2019s Privacy: Anti\u2011Tracking component. It allows an attacker to trick the component into treating a connection or request as subject to anti\u2011tracking rules when it is not, or vice versa. This can mislead users and developers into believing that their privacy settings are enforced when they are not, potentially allowing unwanted tracking or bypassing of intended restrictions. The flaw is identified as CWE\u2011290 (Authentication Failure).", "risk_and_exploitability": "The CVSS base score is 3.4, indicating low overall risk, and the vulnerability is not listed in CISA\u2019s KEV catalog. No EPSS score is available, so the likelihood of exploitation is hard to gauge, but the attack likely requires an attacker to deliver crafted network traffic or craft a phishing document that influences the anti\u2011tracking component. The impact is primarily the ability to impersonate privacy enforcement, which may undermine user trust or compromise the integrity of privacy controls. Prompt upgrades mitigate the threat."}}}}, "created": "2026-03-25T11:47:47.157304+00:00", "updated": "2026-03-25T20:50:25.821957+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}