CVE-2026-6755

Medium

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 5.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6755 is a medium-severity CSRF (CWE-352) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AT-2 Literacy Training and Awareness

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

IA-11 Re-authentication

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

PM-14 Testing, Training, and Monitoring

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

SI-4 System Monitoring

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Browser postMessage mitigation bypass enables remote exploitation resulting in application DoS (crash/hang), directly matching T1499.004 Application or System Exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Deeper analysisAI

CVE-2026-6755 is a mitigation bypass vulnerability in the DOM postMessage component, affecting Mozilla Firefox and Thunderbird. The issue, linked to CWE-352 (Cross-Site Request Forgery), was fixed in Firefox version 150 and Thunderbird version 150. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.

An attacker can exploit this vulnerability over the network with low complexity and low privileges required, without needing user interaction. Exploitation leads to a denial of service, such as application crashes or hangs, while having no impact on confidentiality or integrity.

Mozilla's security advisories MFSA2026-30 and MFSA2026-33 address the vulnerability, recommending updates to Firefox 150 or Thunderbird 150 for mitigation. Further technical details are available in Bugzilla bug 1880429.

Details

CWE(s): CWE-352

Affected Products

mozilla

firefox

≤ 150.0

mozilla

thunderbird

≤ 150.0

CVEs Like This One

CVE-2026-6777Same product: Mozilla Firefox

CVE-2026-6773Same product: Mozilla Firefox

CVE-2026-6746Same product: Mozilla Firefox

CVE-2026-6754Same product: Mozilla Firefox

CVE-2026-0889Same product: Mozilla Firefox

CVE-2026-4727Same product: Mozilla Firefox

CVE-2026-2801Same product: Mozilla Firefox

CVE-2026-6778Same product: Mozilla Firefox

CVE-2026-6781Same product: Mozilla Firefox

CVE-2026-6759Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1880429
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org