Description
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows bypass of the browser’s Same-Origin Policy in the Networking: JAR component, enabling access to resources from other origins. This is an Access to Local Resource via Insecurely Configured Resource (CWE-346) failure that could allow attackers to steal or modify data cross‑origin. The defect was addressed in Firefox and Thunderbird version 151.

Affected Systems

Mozilla Firefox and Thunderbird browsers released prior to version 151 are affected. No specific version list was provided, so all builds before the fix are considered at risk.

Risk and Exploitability

The EPSS score is not publicly available, and the CVSS score is 6.5. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote or local, using crafted JAR files that the browser processes. Successful exploitation would grant the attacker read or write access to data belonging to another origin, thereby compromising confidentiality and integrity.

Generated by OpenCVE AI on May 19, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or later.
  • Upgrade Mozilla Thunderbird to version 151 or later.
  • Monitor Mozilla security advisories for additional patches.

Generated by OpenCVE AI on May 19, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151. Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-863
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Title Same-origin policy bypass in the Networking: JAR component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:55.654Z

Reserved: 2026-05-19T12:30:17.989Z

Link: CVE-2026-8971

cve-icon Vulnrichment

Updated: 2026-05-19T14:16:46.792Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:53.633

Modified: 2026-05-20T14:41:14.490

Link: CVE-2026-8971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:45:06Z

Weaknesses