CRITICAL🇵🇱 Wersja polska

CVE-2026-2790

CVSS 9.8v3.1pub. 2026-02-24upd. 2026-04-13

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

🤖 AI Analysis
How it works

The vulnerability (CWE-346) consists of improper verification of request origin in the JAR archive handling component in the browser's network layer. An attacker can exploit the error in Same-Origin Policy enforcement to allow a malicious website to access data or resources from a different origin — contrary to the expected domain isolation. The attack requires no authentication, user interaction, or special network conditions, as evidenced by the CVSS vector (AV:N/AC:L/PR:N/UI:N).

Impact

An attacker can gain unauthorized access to sensitive data, modify content, or violate the integrity and availability of resources protected by Same-Origin Policy, which may lead to session theft, personal data theft, or other sensitive information disclosure.

Mitigation & patch

Update to Firefox 148 or Firefox ESR 140.8, Thunderbird 148 or Thunderbird 140.8, where the vulnerability has been patched. Patches are available in manufacturer references (mozilla.org/security/advisories).

Who is affected

Mozilla Firefox versions prior to 148 and Firefox ESR versions prior to 140.8, Mozilla Thunderbird versions prior to 148 and Thunderbird ESR versions prior to 140.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.8.0< 148.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.8.0< 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...