Description
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported vulnerability is a spoofing flaw within the Web Speech component of Mozilla Firefox. An attacker could potentially pose as a trusted origin, causing the browser to accept or execute speech commands that the user believes are legitimate. This deception can allow an attacker to trick the user or manipulate the web page into performing unintended actions, resulting in confidentiality, integrity, or availability concerns. The nature of the weakness is related to improper access control or verification during the use of the Web Speech API.

Affected Systems

Mozilla Firefox versions prior to 151 are impacted. The flaw was fixed in Firefox 151, and no other vendors or products are listed in the supplied data.

Risk and Exploitability

The CVSS score is 7.5, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a malicious web page that uses the Web Speech API to present or execute recognized speech content without correct origin validation. While there is no public evidence of exploitation, the absence of a check suggests the flaw could be leveraged by attackers with sufficient skill. Promptly applying the vendor patch is advised owing to the potential for deceptive or destructive behavior.

Generated by OpenCVE AI on May 19, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 151 or newer, which contains the fix for the Web Speech spoofing flaw.
  • Disable the Web Speech component for untrusted origins by configuring browser preferences or using an extension that blocks the API when it is not required for legitimate use.
  • Ensure the browser is set to automatically receive security updates and monitor official advisories for related vulnerabilities.

Generated by OpenCVE AI on May 19, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151. Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-284
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Title Spoofing issue in the Web Speech component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:53.774Z

Reserved: 2026-05-19T12:30:03.895Z

Link: CVE-2026-8963

cve-icon Vulnrichment

Updated: 2026-05-19T14:55:06.537Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:52.717

Modified: 2026-05-19T16:16:23.287

Link: CVE-2026-8963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:15:10Z

Weaknesses