Description
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the CVE description, the vulnerability is a spoofing issue in Firefox WebExtensions. The impact of allowing malicious extensions or scripts to impersonate legitimate sites or extensions is inferred from the term "spoofing". This can compromise user confidentiality and trust by presenting deceptive content as genuine.

Affected Systems

Affected products are Mozilla Firefox browsers and Mozilla Thunderbird. Version information is not available, but the flaw was fixed in Firefox 151 and Thunderbird 151. Both browsers are listed as affected.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is unavailable, indicating limited publicly known exploitation data. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the likely attack vector involves a user installing or enabling a malicious WebExtension that can send spoofed requests or host content that mimics legitimate sites. The exploit requires local installation or compromise of an existing extension, so it is not remote. Because the flaw is in the browser’s extension handling, mitigation is by patching or disabling the problematic extensions.

Generated by OpenCVE AI on May 19, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 151 or later to apply the vendor fix.
  • Upgrade to Thunderbird 151 or later to apply the vendor fix.
  • Remove or disable all untrusted or unknown WebExtensions, especially those not obtained from the official add‑on store.
  • Limit extension installation to vetted sources and review permission requests to ensure extensions do not request unnecessary privileges.

Generated by OpenCVE AI on May 19, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-210
CWE-279

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151. Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-210
CWE-279

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Title Spoofing issue in WebExtensions
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:53.405Z

Reserved: 2026-05-19T12:29:56.291Z

Link: CVE-2026-8960

cve-icon Vulnrichment

Updated: 2026-05-19T15:34:42.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.383

Modified: 2026-05-20T14:20:06.967

Link: CVE-2026-8960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:15:12Z

Weaknesses