Description
Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Spoofing of Anti-Tracking Data
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Privacy: Anti-Tracking component can allow an attacker to present false information or bypass authentication checks, leading to spoofing of data that the browser or email client relies upon for privacy enforcement. The weakness stems from improper authentication controls, as classified by CWE-290. When triggered, an attacker could cause the client to treat untrusted input as legitimate, potentially undermining privacy protections and exposing user data to unintended parties.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected, with all releases prior to version 149 susceptible. Users running older builds of either product are at risk until they upgrade to a fixed version.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. An EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. The attack vector remains inferred from the component involved; it is likely exploitable via crafted web content or email content when the Anti-Tracking feature is enabled.

Generated by OpenCVE AI on April 13, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest updates for Firefox, version 149 or newer.
  • Apply the latest updates for Thunderbird, version 149 or newer.
  • If an immediate update is not possible, temporarily disable the Privacy: Anti-Tracking component in both applications.
  • Stay alert to future advisories from Mozilla and apply subsequent patches as they become available.

Generated by OpenCVE AI on April 13, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

threat_severity

Low

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149. Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149.
Title Spoofing issue in the Privacy: Anti-Tracking component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:10.061Z

Reserved: 2026-03-23T23:22:54.953Z

Link: CVE-2026-4728

cve-icon Vulnrichment

Updated: 2026-03-25T19:15:09.923Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.680

Modified: 2026-04-13T15:17:45.423

Link: CVE-2026-4728

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-24T12:30:41Z

Links: CVE-2026-4728 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:49Z

Weaknesses