Description
Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a flaw in the DOM Workers component of Mozilla’s browsers, allowing malicious web content to elevate its privileges within the Document Object Model. By exploiting this weakness, an attacker can execute scripts with higher privileges than the normal sandboxed web environment permits, which could compromise confidentiality, integrity, or availability of the user’s data and the browser itself. The flaw is mitigated by updates in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird ESR 140.11.

Affected Systems

All users running Mozilla Firefox or Thunderbird versions prior to the patched releases are affected. This includes standard releases before Firefox 151 and Thunderbird 151, as well as the ESR lines before Firefox ESR 140.11 and Thunderbird ESR 140.11.

Risk and Exploitability

The EPSS score is < 1 %, indicating a low likelihood of exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The CVSS score of 8.8 reflects high severity. Exploitation would likely require a crafted web page that targets the Workers component; no additional remote code execution beyond the compromised page is described. While publicly known exploits are currently lacking, the privilege‑escalation potential warrants timely remediation.

Generated by OpenCVE AI on May 22, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of Firefox or Thunderbird that includes the fix—at minimum Firefox 151 or Firefox ESR 140.11, and Thunderbird 151 or Thunderbird ESR 140.11.
  • If an update cannot be performed immediately, disable the Workers component or remove its capabilities via browser preferences or group policy so that malicious content cannot trigger the flaw.
  • Employ additional isolation controls such as strict Content Security Policy headers or a sandboxed browsing environment to limit the impact of any malicious web content that might still execute.

Generated by OpenCVE AI on May 22, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Privilege escalation in the DOM: Workers component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:37:35.207Z

Reserved: 2026-05-19T12:29:48.978Z

Link: CVE-2026-8955

cve-icon Vulnrichment

Updated: 2026-05-19T14:20:14.577Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T14:16:51.820

Modified: 2026-05-20T17:16:29.980

Link: CVE-2026-8955

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:49Z

Links: CVE-2026-8955 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:15:06Z

Weaknesses