CVE-2026-6762
Published: 21 April 2026
Summary
CVE-2026-6762 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Mozilla Firefox. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-6762 is a spoofing vulnerability (CWE-290) in the DOM: Core & HTML component of Mozilla Firefox and Thunderbird. It affects versions of these products prior to Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The issue was published on 2026-04-21 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it demands user interaction such as clicking a malicious link or engaging with crafted content. Successful exploitation enables limited impacts on confidentiality, integrity, and availability within the unchanged scope, potentially allowing spoofed elements in the DOM to mislead users.
Mozilla's security advisories (MFSA2026-30, MFSA2026-31, MFSA2026-32, and MFSA2026-33) and Bugzilla entry 2021080 detail the fix applied in the listed versions. Mitigation requires updating affected Firefox and Thunderbird installations to these patched releases.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24103
Vulnerability details
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DOM spoofing enables deception via malicious links or crafted web content, directly facilitating spearphishing links, user execution through malicious links, and drive-by compromise scenarios.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant patches to eliminate known flaws such as this DOM spoofing vulnerability.
Enforces approved configuration settings that include maintaining current patched versions of Firefox and Thunderbird.
Requires integrity verification of software to ensure only the patched releases (free of the spoofing flaw) are executed.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248827 OL 8 must not have the rsh-server package installed. via CWE-290
RHEL 7 (1 rule)
- V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-290
RHEL 8 (1 rule)
- V-230492 RHEL 8 must not have the rsh-server package installed. via CWE-290