{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0888", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-01-13T13:30:58.095Z", "datePublished": "2026-01-13T13:30:58.296Z", "dateUpdated": "2026-04-13T13:52:02.777Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147."}]}], "title": "Information disclosure in the XML component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1985996"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}], "credits": [{"lang": "en", "value": "Pier Angelo Vendrame"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:52:02.777Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T20:29:19.499227Z", "id": "CVE-2026-0888", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T20:29:51.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T20:29:19.499227Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T20:29:47.152Z"}}], "cna": {"title": "Information disclosure in the XML component", "credits": [{"lang": "en", "value": "Pier Angelo Vendrame"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1985996"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}], "descriptions": [{"lang": "en", "value": "Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.", "supportingMedia": [{"type": "text/html", "value": "Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:52:02.777Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0888", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:52:02.777Z", "dateReserved": "2026-01-13T13:30:58.095Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-01-13T13:30:58.296Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1", "versionEndExcluding": "147.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5", "versionEndExcluding": "147.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147."}, {"lang": "es", "value": "Revelaci\u00f3n de informaci\u00f3n en el componente XML. Esta vulnerabilidad afecta a Firefox < 147 y Thunderbird < 147."}], "id": "CVE-2026-0888", "lastModified": "2026-04-13T15:17:18.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-13T14:16:39.340", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1985996"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Information disclosure in the XML component", "id": "2428962", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428962"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-0888", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-13T13:30:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0888\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0888\nhttps://www.mozilla.org/security/advisories/mfsa2026-01/#CVE-2026-0888"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-15T15:53:15.649832+00:00", "value": {"mitigation_remediation": ["Install Mozilla Firefox version 147 or newer to obtain the fix. ", "Install Mozilla Thunderbird version 147 or newer to obtain the fix. ", "If an update delay is unavoidable, limit the processing of untrusted XML data by disabling or restricting the XML parsing feature where the application allows it."], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "All releases of Firefox and Thunderbird before version 147 are affected. The advisory applies to the Mozilla Firefox browser and the Mozilla Thunderbird email client.", "description_and_impact": "The vulnerability resides in the XML component of Mozilla Firefox and Thunderbird, allowing an attacker to read sensitive data that should not be accessible. It is a classic information\u2011disclosure weakness (CWE\u2011200) that can expose configuration files, credentials, or other private information embedded in XML documents. Adversaries could exploit this flaw to gather contextual data that supports further attacks.", "risk_and_exploitability": "The CVSS score of 5.3 classifies it as a moderate risk, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would likely require delivery of a crafted XML file to the target system; attackers could then read the disclosed information, potentially leading to further compromise. The lack of public exploits suggests that sandboxing or disabling the vulnerable XML parsing path could mitigate the risk if patching is not immediately possible."}}}}, "created": "2026-01-14T11:09:15.297842+00:00", "updated": "2026-04-15T18:15:10.871967+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}