CVE-2026-8948
9.1 CRITICALSame-origin policy bypass in the DOM: Networking component
Published: 2026-05-19 · Last updated: 2026-05-20
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-942
Affected products
| Vendor | Product |
|---|---|
| mozilla | firefox, thunderbird |
Description
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-10702 — JIT miscompilation in the JavaScript Engine: JIT component (4.3 MEDIUM)
- CVE-2026-10701 — Incorrect boundary conditions in the Graphics: Text component (7.5 HIGH)
- CVE-2026-9309 — Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata (5.4 MEDIUM)
- CVE-2026-9308 — Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders (5.4 MEDIUM)
- CVE-2026-9078 — Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI ... (5.4 MEDIUM)
Same CWE
- CVE-2026-10056 — CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security... (7.5 HIGH)
- CVE-2026-46685 — RustFS is a distributed object storage system built in Rust
- CVE-2026-45021 — Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs
- CVE-2026-9739 — Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790)
- CVE-2026-44895 — GitLab MCP Server lets an AI agent talk directly to GitLab