Description
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a same-origin policy bypass in the Networking: HTTP component of Mozilla browsers. It allows a malicious web page or extension to read or manipulate resources belonging to other origins, thereby undermining the web browser’s fundamental security model. This flaw is a defect that could enable attackers to exfiltrate sensitive data or facilitate downstream attacks such as phishing or credential theft.

Affected Systems

Affected are Mozilla Firefox browsers and Thunderbird clients. The defect was present in all releases before Firefox version 151 and Firefox ESR 140.11, and before Thunderbird version 151 and Thunderbird ESR 140.11. Users running older versions remain vulnerable until they upgrade to the patched releases.

Risk and Exploitability

Since the defect resides in the client‑side HTTP handling code, the likely attack vector is a malicious web page that forces the browser to issue cross‑origin requests, potentially reading data from other origins. With a CVSS score of 9.3, the vulnerability is rated as very high severity. No EPSS data or KEV listing is available, indicating that exploitation has not yet been reported in the public domain, but the breach of same‑origin policy is a severe security weakness. The risk remains high for any machine running a vulnerable version, and timely patching is strongly recommended.

Generated by OpenCVE AI on May 19, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to at least version 151 or Firefox ESR 140.11 and upgrade Thunderbird to at least version 151 or Thunderbird ESR 140.11 where the fix is applied.
  • Configure your organization’s web filtering or firewall policies to detect and block suspicious cross‑origin requests that may signal exploitation attempts.
  • Subscribe to Mozilla security advisories and monitor browser update channels to ensure prompt application of future patches.

Generated by OpenCVE AI on May 19, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Same-origin policy bypass in the Networking: HTTP component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:48.079Z

Reserved: 2026-05-19T12:29:41.562Z

Link: CVE-2026-8950

cve-icon Vulnrichment

Updated: 2026-05-19T15:47:23.890Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:51.257

Modified: 2026-05-20T15:00:29.693

Link: CVE-2026-8950

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:42Z

Links: CVE-2026-8950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:30:12Z

Weaknesses