CVE-2026-6762 - Vulnerability Details

- Spoofing issue in the DOM: Core & HTML component

Description

Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Published: 2026-04-21

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a DOM: Core & HTML component spoofing flaw that allows a malicious web page to forge or misrepresent DOM elements, potentially leading to user confusion, phishing, or credential theft. It manifests in both Mozilla Firefox and Thunderbird browsers. The flaw does not provide direct code execution but can damage the integrity of the user interface. It is aligned with input validation and user interface integrity weaknesses.

Affected Systems

Mozilla Firefox versions before 150 and Mozilla Thunderbird versions before 150 are vulnerable. Firefox ESR 115.35, Firefox ESR 140.10, and Thunderbird ESR 140.10 contain the fix and are not affected. Systems running those versions are safe.

Risk and Exploitability

No EPSS score is listed, and the vulnerability is not indexed in the CISA KEV catalog, indicating no known exploitation yet. The likely attack vector involves a maliciously crafted web page that the user visits, as the flaw resides in the browser’s core DOM handling. The risk for a typical organization is moderate: an attacker could deceive users but requires user interaction. Nonetheless, the lack of a public exploit reduces but does not eliminate the risk, so patching is advised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.35`	unaffected	≤ 115.*
`140.10`	unaffected	≤ 140.*
`150`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`140.10`	unaffected	≤ 140.*
`150`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[115.35,115.*]`	unaffected	generic	—
`[140.10,140.*]`	unaffected	generic	—
`[150,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mozilla Firefox to at least version 150, or to Firefox ESR 115.35 or ESR 140.10
Upgrade Mozilla Thunderbird to at least version 150, or to Thunderbird ESR 140.10
Run browsers in safe mode to verify the issue is resolved and to disable extensions that could manipulate the DOM
Enable built‑in script blocking or enforce a stricter Content Security Policy to limit malicious DOM modifications if an immediate upgrade is not possible

Generated by OpenCVE AI on April 22, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6225-1	firefox-esr security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2021080
https://nvd.nist.gov/vuln/detail/CVE-2026-6762
https://www.cve.org/CVERecord?id=CVE-2026-6762
https://www.mozilla.org/security/advisories/mfsa2026-30/
https://www.mozilla.org/security/advisories/mfsa2026-31/
https://www.mozilla.org/security/advisories/mfsa2026-31/#CVE-2026-6762
https://www.mozilla.org/security/advisories/mfsa2026-32/
https://www.mozilla.org/security/advisories/mfsa2026-32/#CVE-2026-6762
https://www.mozilla.org/security/advisories/mfsa2026-33/
https://www.mozilla.org/security/advisories/mfsa2026-34/

History

Wed, 22 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::*
Vendors & Products		Mozilla thunderbird

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-290
Metrics	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1021
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6762 https://www.cve.org/CVERecord?id=CVE-2026-6762 https://www.mozilla.org/security/advisories/mfsa2026-31/#CVE-2026-6762 https://www.mozilla.org/security/advisories/mfsa2026-32/#CVE-2026-6762
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` threat_severity `Moderate`

Wed, 22 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-74 CWE-79

Wed, 22 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200 CWE-79

Wed, 22 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-79

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description	Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.	Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox
References		https://www.mozilla.org/security/advisories/mfsa2026-33/ https://www.mozilla.org/security/advisories/mfsa2026-34/

Tue, 21 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title		Spoofing issue in the DOM: Core & HTML component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2021080 https://www.mozilla.org/security/advisories/mfsa2026-30/ https://www.mozilla.org/security/advisories/mfsa2026-31/ https://www.mozilla.org/security/advisories/mfsa2026-32/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-04-21T12:40:56.838Z

Updated: 2026-04-22T15:34:52.494Z

Reserved: 2026-04-21T12:40:56.529Z

Link: CVE-2026-6762

Vulnrichment

Updated: 2026-04-22T14:33:31.539Z

NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.137

Modified: 2026-04-22T17:38:29.797

Link: CVE-2026-6762

Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:56Z

Links: CVE-2026-6762 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T10:15:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object