PatchSiren cyber security CVE debrief
CVE-2026-12294 Mozilla CVE debrief
CVE-2026-12294 is a vulnerability in the DOM: Workers component that allows for sandbox escape. The vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-12294) and last modified on [cveModifiedAt](https://www.cve.org/CVERecord?id=CVE-2026-12294).
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Firefox, Firefox ESR, and other products that use the DOM: Workers component should apply the fixes provided by Mozilla.
Technical summary
The vulnerability is a sandbox escape in the DOM: Workers component. This could potentially allow an attacker to execute arbitrary code outside of the sandbox.
Defensive priority
high
Recommended defensive actions
- Apply the fixes provided by Mozilla: update to Firefox 152, Firefox ESR 140.12, or Firefox ESR 115.37.
Evidence notes
The CVE was published by [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-12294) and detailed by [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-12294).
Official resources
Mozilla has addressed this vulnerability in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.