Description
Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Mitigation Bypass via postMessage
Action: Immediate Upgrade
AI Analysis

Impact

The postMessage component in the DOM bypasses standard browser mitigations, enabling an attacker to send crafted messages that the application treats as trustworthy. This bypass can allow the execution of privileged actions within the page without user consent, potentially leading to unauthorized data access or transaction forging. The vulnerability is a Cross‑Site Request Forgery weakness (CWE‑352).

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. All releases prior to version 150 contain the flaw, as it was fixed in both Firefox 150 and Thunderbird 150. No specific sub‑versions are listed, so any installation of Firefox or Thunderbird older than 150 should be considered at risk.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. EPSS data is not available, so the likelihood of exploitation cannot be quantified from the available data. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote: a malicious web page or third‑party script can send a crafted postMessage to a vulnerable page, bypassing normal message‑origin checks and potentially triggering privileged operations. Successful exploitation would require the victim to have the vulnerable page loaded in their browser and for the attacker to control a source that can communicate via postMessage.

Generated by OpenCVE AI on April 22, 2026 at 05:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 150 or newer, which contains the hardening fix.
  • Update Mozilla Thunderbird to version 150 or newer, which contains the hardening fix.
  • If an upgrade cannot be performed immediately, modify the affected web application to verify the origin field of every postMessage event and reject any messages that do not originate from trusted domains.
  • Ensure that any third‑party scripts or embedded content on the page also perform strict origin checks before calling postMessage, and consider removing or sandboxing untrusted content.

Generated by OpenCVE AI on April 22, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150. Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
References

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150.
Title Mitigation bypass in the DOM: postMessage component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:47.512Z

Reserved: 2026-04-21T12:40:51.062Z

Link: CVE-2026-6755

cve-icon Vulnrichment

Updated: 2026-04-21T13:47:11.033Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:21.510

Modified: 2026-04-22T00:16:31.400

Link: CVE-2026-6755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:00:09Z

Weaknesses