Cyber Resilience

CVE-2026-6755

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0019 8.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6755 is a medium-severity CSRF (CWE-352) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6755 is a mitigation bypass vulnerability in the DOM postMessage component, affecting Mozilla Firefox and Thunderbird. The issue, linked to CWE-352 (Cross-Site Request Forgery), was fixed in Firefox version 150 and Thunderbird version 150. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.

An attacker can exploit this vulnerability over the network with low complexity and low privileges required, without needing user interaction. Exploitation leads to a denial of service, such as application crashes or hangs, while having no impact on confidentiality or integrity.

Mozilla's security advisories MFSA2026-30 and MFSA2026-33 address the vulnerability, recommending updates to Firefox 150 or Thunderbird 150 for mitigation. Further technical details are available in Bugzilla bug 1880429.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Browser postMessage mitigation bypass enables remote exploitation resulting in application DoS (crash/hang), directly matching T1499.004 Application or System Exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-15660Same vendor: Mozilla
CVE-2023-4047Same product: Mozilla Firefox
CVE-2025-1074Shared CWE-352
CVE-2024-26469Shared CWE-352
CVE-2023-27623Shared CWE-352
CVE-2021-20096Shared CWE-352
CVE-2024-31268Shared CWE-352
CVE-2024-37227Shared CWE-352
CVE-2022-41253Shared CWE-352
CVE-2021-22202Shared CWE-352

Affected Assets

mozilla
firefox
≤ 150.0
mozilla
thunderbird
≤ 150.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (Firefox/Thunderbird 150) that eliminates the postMessage mitigation bypass.

prevent

Implements denial-of-service protection mechanisms that limit or block the availability impact (crash/hang) resulting from exploitation of the bypass.

prevent

Enforces information flow rules between browsing contexts, directly addressing the postMessage component where the mitigation bypass occurs.

References