{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6774", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:41:05.633Z", "datePublished": "2026-04-21T12:41:05.957Z", "dateUpdated": "2026-04-21T23:35:09.351Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}]}], "title": "Mitigation bypass in the DOM: Security component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016915"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "credits": [{"lang": "en", "value": "lebr0nli"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:35:09.351Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T14:01:03.413146Z", "id": "CVE-2026-6774", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T14:01:09.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6774", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T14:01:03.413146Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T14:00:58.738Z"}}], "cna": {"title": "Mitigation bypass in the DOM: Security component", "credits": [{"lang": "en", "value": "lebr0nli"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016915"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:35:09.351Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6774", "state": "PUBLISHED", "dateUpdated": "2026-04-21T23:35:09.351Z", "dateReserved": "2026-04-21T12:41:05.633Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:41:05.957Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "67B01D49-66FA-4C76-9EB4-2B8CD61FBEB2", "versionEndExcluding": "150.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "5DDDA58D-2B1E-4956-9CC2-45B3017F3F0B", "versionEndExcluding": "150.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}], "id": "CVE-2026-6774", "lastModified": "2026-04-22T15:17:38.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:23.173", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016915"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Firefox: Firefox: Mitigation bypass in DOM Security component", "id": "2460082", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460082"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-358", "details": ["A flaw was found in Firefox. This vulnerability allows for a mitigation bypass within the Document Object Model (DOM) Security component. An attacker could potentially exploit this to circumvent existing security controls, which may lead to further security compromises."], "name": "CVE-2026-6774", "public_date": "2026-04-21T12:41:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6774\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6774\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=2016915\nhttps://www.mozilla.org/security/advisories/mfsa2026-30/"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T15:08:42.436398+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 150 or newer, which includes the security component fix.", "Upgrade Thunderbird to version 150 or newer, which includes the security component fix.", "Enable and enforce automatic updates to avoid remaining on older, vulnerable builds.", "Limit exposure by reviewing or disabling third\u2011party extensions that interact directly with DOM APIs, reducing the attack surface for the bypass."], "summary": {"action": "Patch", "impact": "Unauthorized access"}, "threat_synthesis": {"affected_systems": "All releases of Firefox and Thunderbird older than version 150 are vulnerable, as the flaw was addressed in the 150 release cycle. Users of the affected products should review their current versions and plan an upgrade if they are running older builds.", "description_and_impact": "Based on the description, it is inferred that Mozilla\u2019s Firefox implements a security component within the DOM that can be bypassed, allowing a crafted web page or script to perform privileged operations that should be protected, thereby exposing the user to unauthorized actions on data or application state. The flaw is classified as CWE\u2011693 and CWE\u2011358, indicating that security checks were improperly enforced or omitted in the execution path and that sensitive data may be inadvertently exposed.", "risk_and_exploitability": "The CVSS score of 5.4 places the issue in the moderate range, and the EPSS score is currently unavailable. The flaw is not listed in CISA\u2019s KEV catalog, suggesting a lower publicly confirmed exploitation probability at present. Based on the description, it is inferred that the vulnerability manifests when a malicious site or local script leverages DOM manipulation to subvert the security component, allowing potential theft of sensitive information or escalation of user privileges. Unless mitigated, a determined attacker can exploit this path in combination with other weaknesses to increase the overall impact."}}}}, "created": "2026-04-21T16:30:40.491094+00:00", "updated": "2026-04-22T15:15:16.422256+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}