{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0887", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-01-13T13:30:57.650Z", "datePublished": "2026-01-13T13:30:57.847Z", "dateUpdated": "2026-04-13T13:51:59.523Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}]}], "title": "Clickjacking issue, information disclosure in the PDF Viewer component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2006500"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "credits": [{"lang": "en", "value": "Lyra Rebane"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:59.523Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-497", "lang": "en", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T15:32:40.994965Z", "id": "CVE-2026-0887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T15:32:44.439Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T15:32:40.994965Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T20:29:00.023Z"}}], "cna": {"title": "Clickjacking issue, information disclosure in the PDF Viewer component", "credits": [{"lang": "en", "value": "Lyra Rebane"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2006500"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "descriptions": [{"lang": "en", "value": "Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "value": "Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:59.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0887", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:51:59.523Z", "dateReserved": "2026-01-13T13:30:57.650Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-01-13T13:30:57.847Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "A2FC50B3-5A36-4702-8CF6-CC732E3B148B", "versionEndExcluding": "140.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1", "versionEndExcluding": "147.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D", "versionEndExcluding": "140.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5", "versionEndExcluding": "147.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Problema de clickjacking, revelaci\u00f3n de informaci\u00f3n en el componente Visor de PDF. Esta vulnerabilidad afecta a Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 y Thunderbird < 140.7."}], "id": "CVE-2026-0887", "lastModified": "2026-04-13T15:17:17.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-13T14:16:39.240", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2006500"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Clickjacking issue, information disclosure in the PDF Viewer component", "id": "2428972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428972"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-0887", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-13T13:30:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0887\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0887\nhttps://www.mozilla.org/security/advisories/mfsa2026-03/#CVE-2026-0887"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-15T15:53:45.285391+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 147 or newer, or Firefox ESR 140.7 or newer.", "Upgrade Thunderbird to version 147 or newer, or Thunderbird ESR 140.7 or newer.", "If an upgrade is not immediately possible, disable the built\u2011in PDF viewer or configure the browser to open PDFs in an external viewer to prevent the clickjacking vector."], "summary": {"action": "Upgrade", "impact": "Information Disclosure via Clickjacking"}, "threat_synthesis": {"affected_systems": "Firefox versions earlier than 147 and Firefox ESR versions earlier than 140.7, and Thunderbird versions earlier than 147 and Thunderbird ESR versions earlier than 140.7 are subject to the flaw. Mozilla products listed as affected include both Firefox and Thunderbird, encompassing their standard and extended support releases.", "description_and_impact": "The PDF Viewer component in Firefox and Thunderbird contains a clickjacking vulnerability that lets a malicious site cause the user to unintentionally interact with a PDF document, potentially revealing sensitive information. The flaw was addressed by correcting how the viewer handles user interactions, preventing the unintended disclosure. The weakness aligns with CWE\u2011497, where the component fails to restrict operations within the user's privilege bounds.", "risk_and_exploitability": "The vulnerability scores a CVSS of 4.3, a low to moderate severity level, and an EPSS score of less than 1%, indicating a very low likelihood of exploitation. It is not currently catalogued in CISA\u2019s KEV. Attackers would need to host a malicious web page that embeds a PDF and induce the victim to click on the document area, exploiting the clickjacking flaw to expose document contents. No remote code execution or privilege escalation has been documented."}}}}, "created": "2026-01-14T11:09:12.633621+00:00", "updated": "2026-04-15T18:15:10.872658+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}