CVE-2026-6770
Description
Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unspecified issue in Mozilla's IndexedDB component was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10, with a CVSS v3 score of 6.5.
Vulnerability
Overview
CVE-2026-6770 is an unspecified issue in the Storage: IndexedDB component of Mozilla products. The vulnerability was addressed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10, as announced on April 21, 2026 [1][2][3][4]. While the exact nature of the bug is not detailed in the advisories, it is classified as a medium-severity flaw with a CVSS v3 base score of 6.5.
Exploitation
Context
Given that the issue resides in IndexedDB, a client-side storage API used by web applications, exploitation likely requires the victim to visit a malicious webpage or open a specially crafted HTML document in a browser-like context. Mozilla notes that in Thunderbird, scripting is disabled when reading email, which should prevent exploitation through email alone [1][3]. However, in Firefox or browser-based environments, an attacker could potentially trigger the vulnerability through crafted JavaScript.
Impact and
Mitigation
The impact could range from data corruption or unauthorized access to IndexedDB stores, leading to information disclosure or other undefined behavior. The CVSS score of 6.5 indicates a moderate risk. Mozilla has released fixed versions for all affected products: Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10 [2][4]. Users are advised to update to these versions immediately. No workarounds are provided. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.10.0
- (no CPE)range: <150
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2026-30/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-32/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-33/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-34/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
1- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026