Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: DOM security bypass
Action: Patch immediately
AI Analysis

Impact

The vulnerability, called "Mitigation bypass in the DOM: Security component," removes enforcement of security checks applied to the Document Object Model in the browser. The defect was addressed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird ESR 140.10. The CVSS score of 9.8 indicates that an exploiter could achieve a highly damaging outcome, although the specific effects are not listed in the description and must be interpreted from the score alone.

Affected Systems

Mozilla Firefox versions earlier than 150 and any ESR releases prior to 140.10 are affected, as are Mozilla Thunderbird versions earlier than 150 and any ESR releases before 140.10. Users of these releases should apply the patched versions.

Risk and Exploitability

The high CVSS rating identifies this flaw as severe, while the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting that it is not currently widely exploited. The attack vector is likely client-side, as the flaw resides in the browser’s DOM processing. In the absence of known exploitation, the risk is primarily theoretical but should be considered significant given the potential impact inferred from the CVSS score.

Generated by OpenCVE AI on April 22, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update for Mozilla Firefox (version 150 or newer or ESR 140.10 or newer).
  • Apply the official update for Mozilla Thunderbird (version 150 or newer or ESR 140.10 or newer).
  • If a patch cannot be applied immediately, disable or remove any extensions that alter the DOM or modify browser security settings to mitigate potential conflicts with the built-in mitigations.

Generated by OpenCVE AI on April 22, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-358
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-693

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-200
CWE-288
CWE-693
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Mitigation bypass in the DOM: Security component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:35:05.769Z

Reserved: 2026-04-21T12:41:03.627Z

Link: CVE-2026-6771

cve-icon Vulnrichment

Updated: 2026-04-21T19:30:46.654Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.927

Modified: 2026-04-22T16:06:55.580

Link: CVE-2026-6771

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:41:03Z

Links: CVE-2026-6771 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses