Cyber Resilience

CVE-2026-6762

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0016 5.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6762 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Mozilla Firefox. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-6762 is a spoofing vulnerability (CWE-290) in the DOM: Core & HTML component of Mozilla Firefox and Thunderbird. It affects versions of these products prior to Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The issue was published on 2026-04-21 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link or engaging with crafted content. Successful exploitation enables limited impacts on confidentiality, integrity, and availability within the unchanged scope, potentially allowing spoofed elements in the DOM to mislead users.

Mozilla's security advisories (MFSA2026-30, MFSA2026-31, MFSA2026-32, and MFSA2026-33) and Bugzilla entry 2021080 detail the fix applied in the listed versions. Mitigation requires updating affected Firefox and Thunderbird installations to these patched releases.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

DOM spoofing enables deception via malicious links or crafted web content, directly facilitating spearphishing links, user execution through malicious links, and drive-by compromise scenarios.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2800Same product: Mozilla Firefox
CVE-2024-11701Same product: Mozilla Firefox
CVE-2024-10465Same product: Mozilla Firefox
CVE-2024-10462Same product: Mozilla Firefox
CVE-2025-3029Same product: Mozilla Firefox
CVE-2026-8963Same product: Mozilla Firefox
CVE-2026-4728Same product: Mozilla Firefox
CVE-2025-1932Same product: Mozilla Firefox
CVE-2026-8960Same product: Mozilla Firefox
CVE-2025-8043Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
140.0 — 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches to eliminate known flaws such as this DOM spoofing vulnerability.

prevent

Enforces approved configuration settings that include maintaining current patched versions of Firefox and Thunderbird.

preventdetect

Requires integrity verification of software to ensure only the patched releases (free of the spoofing flaw) are executed.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248827 OL 8 must not have the rsh-server package installed. via CWE-290
RHEL 7 (1 rule)
  • V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-290
RHEL 8 (1 rule)
  • V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-290

References