Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, identified in the DOM security component of Mozilla Firefox and Thunderbird, allows an attacker to bypass built‑in mitigation controls that are designed to enforce security boundaries within the browser environment. This exploit represents a CWE-693 weakness - a design flaw that permits a security boundary bypass due to insufficient enforcement of security policies - and a CWE-358 issue related to potential information leakage through improper logging. While the advisory does not detail downstream effects, the bypass undermines the intended isolation mechanisms of the DOM, potentially exposing the browser to higher‑risk exploitation when malicious content is rendered.

Affected Systems

All versions of Mozilla Firefox and Thunderbird released prior to the specified updates are affected. The flaw is fixed in Firefox 151 and the Firefox ESR 140.11 branch, as well as in Thunderbird 151 and the Thunderbird ESR 140.11 release; versions equal to or newer than these contain the patch.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk, yet the EPSS score of less than 1 % suggests a low probability of public exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is delivery of malicious content via a web page or local file that exploits the DOM to leverage the bypassed mitigations, allowing an adversary to exploit weaknesses that should otherwise be restrained. Based on the description, this is inferred rather than explicitly stated.

Generated by OpenCVE AI on May 23, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 151 or newer, or to Firefox ESR 140.11 or newer, and to Thunderbird 151 or newer, or to Thunderbird ESR 140.11 or newer.
  • If an immediate update is not feasible, run legacy browsers in isolated or virtualized environments and restrict automatic JavaScript execution for untrusted sites.
  • Continuously monitor Mozilla security advisories and apply future updates as soon as they are released.

Generated by OpenCVE AI on May 23, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Sat, 23 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-358
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-79

Wed, 20 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-79

Tue, 19 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-285

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-269
CWE-285
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Mitigation bypass in the DOM: Security component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:46:25.018Z

Reserved: 2026-05-19T12:29:59.235Z

Link: CVE-2026-8962

cve-icon Vulnrichment

Updated: 2026-05-20T15:13:12.151Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.600

Modified: 2026-05-20T17:56:52.173

Link: CVE-2026-8962

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-19T12:29:59Z

Links: CVE-2026-8962 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T14:00:06Z

Weaknesses