CVE-2026-8965

Vulnerability

An information disclosure vulnerability exists in the DOM: Security component of Firefox and Thunderbird before version 151 [1][2]. The specific code path and conditions required to trigger the disclosure are not detailed in the available references, but the vulnerability is rated as High impact and affects all versions prior to the fix [1][2].

Exploitation

No exploitation details are provided in the available references. The advisory notes that in Thunderbird, scripting is disabled when reading mail, so the vulnerability is not exploitable through email; it presents a risk only in browser or browser-like contexts [2]. For Firefox, the attacker would likely need to deliver malicious content through a web page or other browser-accessible context, but the exact prerequisites are not disclosed [1][2].

Impact

Successful exploitation could lead to the disclosure of sensitive information, potentially including data that should be protected by the browser's security policies [1]. The impact is rated High, indicating a significant confidentiality breach [1][2].

Mitigation

Mozilla has fixed the vulnerability in Firefox 151 and Thunderbird 151, both released on May 19, 2026 [1][2]. Users should update to these versions or later. No workarounds are available for unpatched versions [1][2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1][2].