Description
Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IP Protection component in Mozilla Firefox and Thunderbird allows a flaw that can expose private data, identified as a CWE-200 weakness. This vulnerability can reveal proprietary or confidential content if an attacker can read information that the component is meant to protect. The CVSS score of 7.5 reflects the high severity that could arise from such exposure.

Affected Systems

Firefox and Thunderbird versions older than 151 contain the flaw; version 151 and newer of each product are not vulnerable. No other vendors or products are indicated in the advisory.

Risk and Exploitability

The EPSS score of less than 1% and absence from the CISA KEV catalog suggest a low probability of widespread exploitation. Based on the description, it is inferred that the attack vector likely requires interaction with the vulnerable code path, such as through crafted content or a local user action, rather than an automated remote exploit. As a result, any user or attacker who can trigger the IP Protection logic on an affected installation could access exposed data, maintaining a confidentiality risk until the fix is applied.

Generated by OpenCVE AI on May 20, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 151 or later to receive the vendor‑issued fix
  • Upgrade Thunderbird to version 151 or later to receive the vendor‑issued fix
  • Apply any subsequent security updates from Mozilla as they become available

Generated by OpenCVE AI on May 20, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151. Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151.
Title Information disclosure in the IP Protection component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:46:14.208Z

Reserved: 2026-05-19T12:30:10.538Z

Link: CVE-2026-8966

cve-icon Vulnrichment

Updated: 2026-05-20T15:39:53.828Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:53.043

Modified: 2026-05-20T17:51:24.320

Link: CVE-2026-8966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T19:15:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor