CRITICAL🇵🇱 Wersja polska

CVE-2026-6771

CVSS 9.8v3.1pub. 2026-04-21upd. 2026-04-22

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) involves bypassing existing security controls in the DOM Security component. An attacker can exploit an alternative path or mechanism in the code handling the Document Object Model (DOM) to circumvent imposed security restrictions. The attack does not require elevated privileges or special network conditions, making it particularly dangerous in browser environments.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of confidentiality, integrity, and availability of data processed by the application, which corresponds to maximum CVSS scores for all three categories (C:H/I:H/A:H).

Mitigation & patch

Software should be updated to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10, in which the vulnerability has been patched. Updates are available through official Mozilla distribution channels.

Who is affected

Mozilla Firefox versions before 150 and Firefox ESR before 140.10, as well as Mozilla Thunderbird versions before 150 and before 140.10.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 150.0140.0 – 140.10.0 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    140.0 – 140.10.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...