PatchSiren cyber security CVE debrief
CVE-2026-8960 Mozilla CVE debrief
CVE-2026-8960 is a high-severity spoofing issue in Mozilla WebExtensions. Mozilla states the issue was fixed in Firefox 151 and Thunderbird 151. NVD rates the issue at CVSS 7.5 with network attack vector, no privileges required, no user interaction, and high integrity impact.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Firefox and Thunderbird users, administrators, and security teams should prioritize this if they run versions earlier than 151.0.0. Extension-heavy environments and organizations that rely on browser or mail-client integrity should treat this as a prompt patching item.
Technical summary
The NVD record classifies CVE-2026-8960 as a spoofing issue in WebExtensions with CWE-290 (Authentication Bypass by Spoofing). The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a remotely reachable issue with no privileges or user interaction required and a primary integrity impact. NVD lists affected Mozilla Firefox versions before 151.0.0 and Thunderbird versions before 151.0.0. Mozilla’s linked advisories identify the fix in Firefox 151 and Thunderbird 151.
Defensive priority
High. The issue is remotely reachable, requires no privileges, and can affect integrity. If you operate Firefox or Thunderbird at scale, move patched releases into your standard priority patch cycle and verify version compliance quickly.
Recommended defensive actions
- Upgrade Mozilla Firefox to version 151 or later.
- Upgrade Mozilla Thunderbird to version 151 or later.
- Inventory endpoints and servers that bundle or manage Firefox/Thunderbird, and confirm they are not on versions earlier than 151.0.0.
- Review extension governance and remove unnecessary add-ons where practical, especially in high-trust environments.
- Monitor vendor advisories and vulnerability management tooling for any follow-on guidance tied to Mozilla security bulletin MFSA2026-46 and MFSA2026-50.
Evidence notes
This debrief is based only on the supplied NVD record and Mozilla-linked official references. The source record lists the vulnerability as a WebExtensions spoofing issue, with CWE-290, CVSS 7.5, and affected CPE criteria ending before 151.0.0 for Firefox and Thunderbird. The official references include a Mozilla Bugzilla issue and Mozilla security advisories, which support the fixed-in-151 statement. The CVE published timestamp used here is 2026-05-19T14:16:52.383Z; the modified timestamp is 2026-05-20T14:20:06.967Z.
Official resources
-
CVE-2026-8960 CVE record
CVE.org
-
CVE-2026-8960 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the official CVE/NVD record on 2026-05-19, with an NVD modification timestamp of 2026-05-20. Mozilla’s linked advisories document the fix in Firefox 151 and Thunderbird 151.