Description
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Mitigation Bypass
Action: Patch
AI Analysis

Impact

The vulnerability lies in the File Handling component of Mozilla products and is classified as CWE-66 (Configuration and Deployment Management) and CWE-693 (Protection Mechanism Failure). It enables malicious actors to bypass implemented mitigations that enforce safe file handling, potentially altering program behaviour. The impact constitutes a mitigation bypass that may facilitate exploitation of other weaknesses.

Affected Systems

Both Mozilla Firefox and Mozilla Thunderbird are affected. In Firefox, all versions before 150 and ESR releases prior to 140.10 contain the flaw; Thunderbird is vulnerable in all versions before 150 and ESR releases before 140.10. The issue applies to every build of these products that does not include the state‑of‑the‑art mitigation fix.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The risk depends on an adversary’s ability to supply files or code that reach the vulnerable component. While direct exploitation may require local or trusted code execution, a bypass of file‑handling mitigations could lower the bar for other attacks that rely on the same component. The vulnerability was officially fixed in Firefox 150 / ESR 140.10 and Thunderbird 150 / ESR 140.10.

Generated by OpenCVE AI on April 22, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Firefox or Firefox ESR update (version 150 or newer, ESR 140.10 or newer).
  • Apply the latest Thunderbird or Thunderbird ESR update (version 150 or newer, ESR 140.10 or newer).
  • Temporarily disable or uninstall any extensions or add-ons that interact with the file handling component until the update is applied.

Generated by OpenCVE AI on April 22, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-66
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Mitigation bypass in the File Handling component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:56.036Z

Reserved: 2026-04-21T12:40:57.216Z

Link: CVE-2026-6763

cve-icon Vulnrichment

Updated: 2026-04-21T20:12:02.113Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.227

Modified: 2026-04-22T17:38:00.877

Link: CVE-2026-6763

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:57Z

Links: CVE-2026-6763 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses