Description
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the CVE description, the vulnerability is a spoofing issue in Firefox WebExtensions. The impact of allowing malicious extensions or scripts to impersonate legitimate sites or extensions is inferred from the term "spoofing" and the potential for phishing noted in the description. This can compromise user confidentiality and trust by presenting deceptive content as genuine.

Affected Systems

Affected products are Mozilla Firefox browsers. Version information is not available, but the flaw was fixed in Firefox 151. No other vendors were listed.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, indicating limited publicly known exploitation data. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the likely attack vector involves a user installing or enabling a malicious WebExtension that can send spoofed requests or host content that mimics legitimate sites. The exploit requires local installation or compromise of an existing extension, so it is not remote. Because the flaw is in the browser’s extension handling, mitigation is by patching or disabling the problematic extensions.

Generated by OpenCVE AI on May 19, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 151 or later to apply the vendor fix.
  • Remove or disable all untrusted or unknown WebExtensions, especially those not obtained from the official add‑on store.
  • Limit extension installation to vetted sources and review permission requests to ensure extensions do not request unnecessary privileges.

Generated by OpenCVE AI on May 19, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151. Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-210
CWE-279

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Title Spoofing issue in WebExtensions
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:53.405Z

Reserved: 2026-05-19T12:29:56.291Z

Link: CVE-2026-8960

cve-icon Vulnrichment

Updated: 2026-05-19T15:34:42.459Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:52.383

Modified: 2026-05-19T16:16:23.110

Link: CVE-2026-8960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses