{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4728", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:54.953Z", "datePublished": "2026-03-24T12:30:41.773Z", "dateUpdated": "2026-04-13T13:51:10.061Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "149", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "149", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149."}]}], "title": "Spoofing issue in the Privacy: Anti-Tracking component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013179"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "credits": [{"lang": "en", "value": "Aswinkumar Gokulakannan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:10.061Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:13:55.853926Z", "id": "CVE-2026-4728", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:49:27.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:13:55.853926Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:15:09.923Z"}}], "cna": {"title": "Spoofing issue in the Privacy: Anti-Tracking component", "credits": [{"lang": "en", "value": "Aswinkumar Gokulakannan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "149", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "149", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013179"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:10.061Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4728", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:51:10.061Z", "dateReserved": "2026-03-23T23:22:54.953Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-24T12:30:41.773Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC415708-0D12-42F6-801D-6884F4F01CD9", "versionEndExcluding": "149.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "98D01327-B65C-4FE2-8BBE-98C3555CF8E0", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149."}, {"lang": "es", "value": "Problema de suplantaci\u00f3n en el componente de Privacidad: Anti-Rastreo. Esta vulnerabilidad afecta a Firefox < 149 y Thunderbird < 149."}], "id": "CVE-2026-4728", "lastModified": "2026-04-13T15:17:45.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T13:16:08.680", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013179"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Spoofing issue in the Privacy: Anti-Tracking component", "id": "2450717", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450717"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-290", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nSpoofing issue in the Privacy: Anti-Tracking component"], "name": "CVE-2026-4728", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T12:30:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4728\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4728\nhttps://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4728"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-13T16:11:13.310156+00:00", "value": {"mitigation_remediation": ["Apply the latest updates for Firefox, version 149 or newer.", "Apply the latest updates for Thunderbird, version 149 or newer.", "If an immediate update is not possible, temporarily disable the Privacy: Anti-Tracking component in both applications.", "Stay alert to future advisories from Mozilla and apply subsequent patches as they become available."], "summary": {"action": "Immediate Patch", "impact": "Potential Spoofing of Anti-Tracking Data"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird are affected, with all releases prior to version 149 susceptible. Users running older builds of either product are at risk until they upgrade to a fixed version.", "description_and_impact": "A flaw in the Privacy: Anti-Tracking component can allow an attacker to present false information or bypass authentication checks, leading to spoofing of data that the browser or email client relies upon for privacy enforcement. The weakness stems from improper authentication controls, as classified by CWE-290. When triggered, an attacker could cause the client to treat untrusted input as legitimate, potentially undermining privacy protections and exposing user data to unintended parties.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5, indicating moderate severity. An EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. The attack vector remains inferred from the component involved; it is likely exploitable via crafted web content or email content when the Anti-Tracking feature is enabled."}}}}, "created": "2026-03-25T11:47:47.157304+00:00", "updated": "2026-04-14T16:42:49.135406+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}