{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0883", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-01-13T13:30:55.877Z", "datePublished": "2026-01-13T13:30:56.043Z", "dateUpdated": "2026-04-13T13:51:51.032Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}]}], "title": "Information disclosure in the Networking component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989340"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "credits": [{"lang": "en", "value": "Vladislav Plyatsok"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:51.032Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T15:46:59.917737Z", "id": "CVE-2026-0883", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T15:47:56.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T15:46:59.917737Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T15:47:29.531Z"}}], "cna": {"title": "Information disclosure in the Networking component", "credits": [{"lang": "en", "value": "Vladislav Plyatsok"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989340"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "descriptions": [{"lang": "en", "value": "Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "value": "Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:51.032Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0883", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:51:51.032Z", "dateReserved": "2026-01-13T13:30:55.877Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-01-13T13:30:56.043Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "A2FC50B3-5A36-4702-8CF6-CC732E3B148B", "versionEndExcluding": "140.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1", "versionEndExcluding": "147.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D", "versionEndExcluding": "140.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5", "versionEndExcluding": "147.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Revelaci\u00f3n de informaci\u00f3n en el componente de red. Esta vulnerabilidad afecta a Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, y Thunderbird < 140.7."}], "id": "CVE-2026-0883", "lastModified": "2026-04-13T15:17:17.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-13T14:16:38.853", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989340"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Information disclosure in the Networking component", "id": "2428968", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428968"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-0883", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-13T13:30:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0883\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0883\nhttps://www.mozilla.org/security/advisories/mfsa2026-03/#CVE-2026-0883"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-15T15:55:36.750899+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 147 or newer, or to Firefox ESR 140.7 or newer, to receive the fix for the networking information disclosure flaw.", "Upgrade to Thunderbird 147 or newer, or to Thunderbird ESR 140.7 or newer, to eliminate the disclosure issue.", "After updating, restart the applications so that the updated networking components are loaded and active."], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw impacts Mozilla\u2019s Firefox and Thunderbird clients, including both standard and Extended Support Release versions. Versions up to and excluding Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7 are affected. Users running older releases of these browsers or email clients are therefore at risk.", "description_and_impact": "This vulnerability allows an attacker to read potentially sensitive data handled by the Networking component of Mozilla\u2019s desktop applications. The flaw permits unauthorized disclosure of information that the application processes, which could include user credentials, session identifiers, or other private data transmitted over the network. The weakness is catalogued as CWE-200, indicating that exposed data can be accessed by an unauthenticated user.", "risk_and_exploitability": "The CVSS score of 5.3 places this flaw in the moderate range of severity, but the EPSS score of less than 1% suggests that exploitation is unlikely. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers could exploit the vulnerability through network-based means, such as sending crafted packets or manipulating the data flow within the client, though no specific exploit has been publicly documented. The primary protection is to prevent unauthorized access to the application\u2019s networking module, which the vendor mitigates through the patched releases."}}}}, "created": "2026-01-14T11:09:14.618713+00:00", "updated": "2026-04-15T18:15:10.874534+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}