CVE-2026-8391
Published: 12 May 2026
Summary
CVE-2026-8391 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).
Operationally, ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29466
Vulnerability details
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.