Description
Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cookie Mitigation Bypass
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an attacker to bypass the cookie mitigation checks implemented by the Networking: Cookies component, enabling the setting or reading of cookies that should otherwise be prohibited.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird installations using any version before 150 are vulnerable; the fix was introduced in Firefox 150 and Thunderbird 150.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1% suggests a low probability of exploitation. It is not listed in CISA KEV. Based on the description, it is inferred that exploitation requires malicious content that triggers the cookie handling logic, such as crafted HTTP requests or malicious web pages injected into the browser or email client.

Generated by OpenCVE AI on April 28, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox and Thunderbird to version 150 or later to apply the fixed checks for cookie mitigation, addressing CWE‑288.
  • Disable or remove extensions that modify cookie handling behavior, mitigating CWE‑807 exploitation of untrusted input.
  • Enforce stricter cookie policies, ensuring cookies have Secure and SameSite attributes and disabling third‑party cookies to reduce potential bypass vectors.

Generated by OpenCVE AI on April 28, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Wed, 22 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150. Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
References

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.
Title Mitigation bypass in the Networking: Cookies component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:34:58.133Z

Reserved: 2026-04-21T12:40:54.751Z

Link: CVE-2026-6760

cve-icon Vulnrichment

Updated: 2026-04-22T14:32:04.359Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:21.950

Modified: 2026-04-22T17:38:48.167

Link: CVE-2026-6760

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:55Z

Links: CVE-2026-6760 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses