PatchSiren cyber security CVE debrief
CVE-2026-12304 Mozilla CVE debrief
A same-origin policy bypass vulnerability was discovered in the Networking: Cookies component of Firefox. This vulnerability, tracked as CVE-2026-12304, was fixed in Firefox 152 and Firefox ESR 140.12. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-12304) and last modified on [cveModifiedAt](https://www.cve.org/CVERecord?id=CVE-2026-12304).
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of Firefox and Firefox ESR should update to version 152 and 140.12 respectively to mitigate this vulnerability.
Technical summary
The vulnerability allows for a same-origin policy bypass in the Networking: Cookies component.
Defensive priority
high
Recommended defensive actions
- Update Firefox to version 152 or later
- Update Firefox ESR to version 140.12 or later
Evidence notes
The CVE was published by the CVE Program and details can be found on the [CVE-2026-12304 CVE record](cve-org). Additional information can be found on the [NVD detail page](nvd) and in the [source references](ref-4), [Mozilla security advisories](ref-5) and [Mozilla security advisories](ref-6).
Official resources
Mozilla has addressed this vulnerability through updates to Firefox and Firefox ESR.