CVE-2026-8969 - Vulnerability Details

- Mitigation bypass in the DOM: Security component

Description

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Published: 2026-05-19

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves a bypass of the DOM‑level security component in Mozilla products. It represents a failure of a protection mechanism (CWE‑693), meaning that security checks that the browser normally applies to web content could be circumvented. The issues were addressed in Firefox 151 and Thunderbird 151. The description does not disclose how an attacker might leverage this to gain elevation or persistence, so the precise impact on confidentiality, integrity, or availability is unknown beyond the potential for compromised web content to escape normal checks.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird releases older than version 151 are affected. The fix was applied in Firefox 151 and Thunderbird 151, so any installation of these products at or below 150.x (or earlier) remains susceptible to the DOM mitigation bypass.

Risk and Exploitability

The CVSS v3 score of 8.1 classifies the flaw as high severity, though no EPSS value is available and the vulnerability is not listed in the CISA KEV catalog. The description does not detail exploitation evidence, and the attack vector is not explicitly described; the likely attack vector is malicious web content presented to a user, but this is inferred. The vulnerability may allow an attacker to bypass browser‑based mitigations, but because exploitation details are not disclosed, the real‑world risk remains uncertain.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`151`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`151`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[151,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mozilla Firefox to version 151 or later to incorporate the DOM security fix
Upgrade Mozilla Thunderbird to version 151 or later to address the vulnerability
If upgrading cannot be performed immediately, install a reputable script‑blocking or content‑filtering add‑on to mitigate the risk of malicious Web content
Continuously monitor Mozilla security advisories for further patches or mitigations

Generated by OpenCVE AI on May 19, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2031123
https://www.mozilla.org/security/advisories/mfsa2026-46/
https://www.mozilla.org/security/advisories/mfsa2026-50/

History

Wed, 20 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description	Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.	Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References		https://www.mozilla.org/security/advisories/mfsa2026-50/

Tue, 19 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-79

Tue, 19 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Tue, 19 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-693
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 19 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.
Title		Mitigation bypass in the DOM: Security component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2031123 https://www.mozilla.org/security/advisories/mfsa2026-46/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-05-19T12:30:15.692Z

Updated: 2026-05-19T17:10:55.381Z

Reserved: 2026-05-19T12:30:14.951Z

Link: CVE-2026-8969

Vulnrichment

Updated: 2026-05-19T14:25:54.056Z

NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:53.390

Modified: 2026-05-20T14:55:56.467

Link: CVE-2026-8969

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T19:15:12Z

Weaknesses

CWE-693
Protection Mechanism Failure

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object