CVE-2026-6755
Published: 21 April 2026
Summary
CVE-2026-6755 is a medium-severity CSRF (CWE-352) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6755 is a mitigation bypass vulnerability in the DOM postMessage component, affecting Mozilla Firefox and Thunderbird. The issue, linked to CWE-352 (Cross-Site Request Forgery), was fixed in Firefox version 150 and Thunderbird version 150. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.
An attacker can exploit this vulnerability over the network with low complexity and low privileges required, without needing user interaction. Exploitation leads to a denial of service, such as application crashes or hangs, while having no impact on confidentiality or integrity.
Mozilla's security advisories MFSA2026-30 and MFSA2026-33 address the vulnerability, recommending updates to Firefox 150 or Thunderbird 150 for mitigation. Further technical details are available in Bugzilla bug 1880429.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24096
Vulnerability details
Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Browser postMessage mitigation bypass enables remote exploitation resulting in application DoS (crash/hang), directly matching T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch (Firefox/Thunderbird 150) that eliminates the postMessage mitigation bypass.
Implements denial-of-service protection mechanisms that limit or block the availability impact (crash/hang) resulting from exploitation of the bypass.
Enforces information flow rules between browsing contexts, directly addressing the postMessage component where the mitigation bypass occurs.