CVE-2026-8963 - Vulnerability Details

- Spoofing issue in the Web Speech component

Description

Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Published: 2026-05-19

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The reported vulnerability is a spoofing flaw within the Web Speech component of Mozilla Firefox. An attacker could potentially pose as a trusted origin, causing the browser to accept or execute speech commands that the user believes are legitimate. This deception can allow an attacker to trick the user or manipulate the web page into performing unintended actions, resulting in confidentiality, integrity, or availability concerns. The nature of the weakness is related to improper access control or verification during the use of the Web Speech API.

Affected Systems

Mozilla Firefox and Thunderbird versions prior to 151 are impacted. The flaw was fixed in Firefox 151 and Thunderbird 151, and the supplied data identifies both vendors as affected.

Risk and Exploitability

The CVSS score is 7.5, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a malicious web page that uses the Web Speech API to present or execute recognized speech content without correct origin validation. While there is no public evidence of exploitation, the absence of a check suggests the flaw could be leveraged by attackers with sufficient skill. Promptly applying the vendor patch is advised owing to the potential for deceptive or destructive behavior.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`151`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`151`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[151,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Firefox 151 or newer, which contains the fix for the Web Speech spoofing flaw.
Upgrade to Thunderbird 151 or newer, which addresses the same vulnerability.
Disable the Web Speech component for untrusted origins by configuring browser preferences or using an extension that blocks the API when it is not required for legitimate use.
Ensure the browser is set to automatically receive security updates and monitor official advisories for related vulnerabilities.

Generated by OpenCVE AI on May 19, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2021222
https://www.mozilla.org/security/advisories/mfsa2026-46/
https://www.mozilla.org/security/advisories/mfsa2026-50/

History

Wed, 20 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::-:::*
Vendors & Products		Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description	Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.	Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References		https://www.mozilla.org/security/advisories/mfsa2026-50/

Tue, 19 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Tue, 19 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-290
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Weaknesses		CWE-284
Vendors & Products		Mozilla Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Title		Spoofing issue in the Web Speech component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2021222 https://www.mozilla.org/security/advisories/mfsa2026-46/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-05-19T12:30:06.175Z

Updated: 2026-05-19T17:10:53.774Z

Reserved: 2026-05-19T12:30:03.895Z

Link: CVE-2026-8963

Vulnrichment

Updated: 2026-05-19T14:55:06.537Z

NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.717

Modified: 2026-05-20T14:57:19.880

Link: CVE-2026-8963

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T19:15:12Z

Weaknesses

CWE-290
Authentication Bypass by Spoofing

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object