Description
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a spoofing issue in the Popup Blocker component of Mozilla Firefox and Thunderbird. Based on its description, it is inferred that a malicious popup could be presented as originating from a trusted or familiar source, potentially leading users to disclose sensitive information or engage with malicious content. This weakness corresponds to CWE‑451.

Affected Systems

Any installation of Mozilla Firefox or Thunderbird older than version 151 is affected. The vulnerability applies regardless of operating system, as it resides entirely within the browser client and does not require elevated privileges or special network services.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate-to-high impact, reflecting the potential for significant user deception. The EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, so the exploitation probability is unknown but could exist in the wild in typical use scenarios. Based on the description, it is inferred that the likely attack vector involves an active adversary that can host or craft a malicious webpage or phishing link; the user must inadvertently load that page in their browser for the spoofed popup to appear.

Generated by OpenCVE AI on May 19, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 151 or newer
  • Configure the popup blocker to strict mode and disable any exception lists for unknown sites
  • Educate users to recognize and avoid deceptive pop‑ups

Generated by OpenCVE AI on May 19, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
CWE-200

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151. Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
CWE-200

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.
Title Spoofing issue in the Popup Blocker component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:54.077Z

Reserved: 2026-05-19T12:30:07.287Z

Link: CVE-2026-8964

cve-icon Vulnrichment

Updated: 2026-05-19T14:59:14.349Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.823

Modified: 2026-05-20T14:57:04.170

Link: CVE-2026-8964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:30:12Z

Weaknesses
  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information