Description
Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Upgrade
AI Analysis

Impact

The weakness lies in the storage subsystem of Mozilla’s IndexedDB engine. The advisory states that the issue has been fixed in Firefox 150 and ESR 140.10, as well as Thunderbird 150 and ESR 140.10. Although the precise failure mode is not described in the advisory text, the vulnerability is identified as CWE‑200 and CWE‑440, which indicate potential for information disclosure and improper restriction of operations within bounds.

Affected Systems

Mozilla products Firefox and Thunderbird may be affected. The flaw exists in all builds older than Firefox 150 and Firefox ESR 140.10, as well as Thunderbird 150 and Thunderbird ESR 140.10. Users running any earlier version are potentially exposed to the vulnerability. The flaw is classified as CWE‑200 and CWE‑440.

Risk and Exploitability

The CVSS score is 6.5, EPSS is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. As CWE‑200 and CWE‑440, the flaw could allow an attacker to access confidential data stored in IndexedDB. Exploitation would require that the attacker target a system running an affected version; no additional prerequisites beyond the presence of the susceptible version are disclosed in the advisory.

Generated by OpenCVE AI on April 22, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 150 or later, or to the latest Firefox ESR 140.10 or newer, and to Thunderbird 150 or later, or to the latest Thunderbird ESR 140.10 or newer.
  • Plan the update during a maintenance window to minimize disruption, ensuring that all affected clients receive the patch before any further restarts.
  • Monitor Mozilla’s security advisories for any emerging exploitation or additional mitigation guidance, and remain vigilant for client‑side workarounds until a patch is available.

Generated by OpenCVE AI on April 22, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4546-1 firefox-esr security update
Debian DLA Debian DLA DLA-4549-1 thunderbird security update
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
Debian DSA Debian DSA DSA-6229-1 thunderbird security update
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-440
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-264

Wed, 22 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-264

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Other issue in the Storage: IndexedDB component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:35:04.715Z

Reserved: 2026-04-21T12:41:02.849Z

Link: CVE-2026-6770

cve-icon Vulnrichment

Updated: 2026-04-21T13:53:36.319Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.840

Modified: 2026-04-22T15:07:23.650

Link: CVE-2026-6770

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:41:03Z

Links: CVE-2026-6770 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses