CRITICAL🇵🇱 Wersja polska

CVE-2026-4700

CVSS 9.8v3.1pub. 2026-03-24upd. 2026-06-30

Mitigation bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-288 indicates a bypass of authentication mechanism or access control via an alternative path or channel in the HTTP protocol handling component. A remote, unauthenticated attacker can bypass existing network security measures implemented in the HTTP layer of the browser or email client. A network attack vector (AV:N) with no privilege requirements (PR:N) and user interaction (UI:N) means the exploit can be conducted entirely remotely and automatically.

Impact

Successful exploitation of the vulnerability may give an attacker full control over the targeted system, resulting in disclosure of confidential data, modification of resources, and disruption of service availability (high indicators C:H/I:H/A:H in CVSS).

Mitigation & patch

Immediately update to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9, in which the vulnerability has been fixed. Patches are available on the official manufacturer's websites and described in Mozilla security advisories (MFSA2026-20, MFSA2026-22, MFSA2026-23, MFSA2026-24).

Who is affected

Mozilla Firefox versions before 149, Mozilla Firefox ESR versions before 140.9, Mozilla Thunderbird versions before 149, and Mozilla Thunderbird ESR versions before 140.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.9.0< 149.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...