CVE-2026-8948

Vulnerability

CVE-2026-8948 is a same-origin policy bypass vulnerability in the DOM: Networking component of Firefox and Thunderbird. It affects all versions prior to Firefox 151 and Thunderbird 151 [1][2]. The bug was reported by satyamasd and tracked as Bug 2038803 [3].

Exploitation

An attacker can exploit this vulnerability by tricking a user into visiting a malicious website or, in the case of Thunderbird, opening a crafted email in a browser-like context (scripting is disabled by default in Thunderbird's email reader). The bypass allows the attacker to read data from other origins, violating the same-origin policy [1][2].

Impact

Successful exploitation enables an attacker to bypass the same-origin policy, potentially leading to the disclosure of sensitive information (e.g., cookies, authentication tokens, or page content) from other websites. This impacts confidentiality, as the attacker can exfiltrate data across origins. The vulnerability is rated Critical with a CVSS v3 score of 9.1 [1][2].

Mitigation

The vulnerability is fixed in Firefox 151 and Thunderbird 151, released on May 19, 2026 [1][2]. Users should update to these versions or later. No workarounds are available. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.