Description
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Interface Spoofing
Action: Patch Upgrade
AI Analysis

Impact

The flaw is a DOM: Core & HTML component spoofing vulnerability that allows a malicious web page to forge or misrepresent DOM elements. The resulting distortion of the user interface can enable phishing or credential theft, but it does not provide code execution or direct system compromise. The weakness involves insecure handling of UI elements, reflected in CWE‑1021 and CWE‑290.

Affected Systems

Mozilla Firefox versions earlier than 150, including all standard releases and ESR branches prior to ESR 115.35 and ESR 140.10, are affected. Mozilla Thunderbird versions earlier than 150, and all ESR releases earlier than ESR 140.10, are vulnerable. The listed patch levels (Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, Thunderbird ESR 140.10) contain the fix.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score falls below 1 %, showing a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no known exploits. The likely attack vector is a malicious or compromised website that a user visits; the attacker would exploit browser core DOM handling to impersonate trusted UI elements. User interaction is required, but the potential for user confusion and credential leakage warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 150 or to ESR 115.35 or ESR 140.10
  • Upgrade Mozilla Thunderbird to version 150 or to ESR 140.10
  • If a rapid upgrade is not possible, run the affected browsers in safe mode, disable all extensions, and enforce strict network controls to limit exposure to malicious sites

Generated by OpenCVE AI on April 28, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4546-1 firefox-esr security update
Debian DLA Debian DLA DLA-4549-1 thunderbird security update
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
Debian DSA Debian DSA DSA-6229-1 thunderbird security update
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-74
CWE-79

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Wed, 22 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-74
CWE-79

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-79

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-79

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox
References

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title Spoofing issue in the DOM: Core & HTML component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:34:52.494Z

Reserved: 2026-04-21T12:40:56.529Z

Link: CVE-2026-6762

cve-icon Vulnrichment

Updated: 2026-04-22T14:33:31.539Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.137

Modified: 2026-04-22T17:38:29.797

Link: CVE-2026-6762

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:56Z

Links: CVE-2026-6762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses