CVE-2026-8961 Mozilla CVE debrief

Who should care

Organizations and users running Mozilla Firefox or Thunderbird on affected versions, especially installations older than Firefox 151 / Firefox ESR 140.11 / Thunderbird 151 / Thunderbird ESR 140.11.

Technical summary

NVD describes this as a spoofing issue in Firefox/Thunderbird Form Autofill and classifies it as CWE-290. The published CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network reachability, no privileges required, required user interaction, and a high integrity impact. NVD’s vulnerable CPE criteria cover Firefox and Thunderbird releases below the fixed versions for both regular and ESR branches.

Defensive priority

Medium: prioritize normal patching cadence, but do not defer if Firefox or Thunderbird are broadly deployed in your environment. The combination of user interaction, browser/email-client exposure, and integrity impact makes timely upgrade appropriate.

Recommended defensive actions

• Upgrade Firefox to 151 or later.
• Upgrade Firefox ESR to 140.11 or later.
• Upgrade Thunderbird to 151 or later.
• Upgrade Thunderbird ESR to 140.11 or later.
• Validate deployed versions across desktop fleets and managed endpoints, including ESR channels.
• Review Mozilla advisories linked from NVD for release-specific remediation details.
• Track any systems unable to update promptly and place them on an accelerated remediation plan.

Evidence notes

The CVE record and NVD entry identify the issue as a spoofing problem in Form Autofill and list Mozilla as the vendor. NVD provides the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N), the CWE-290 weakness classification, and vulnerable CPE criteria showing affected Firefox and Thunderbird branches before the stated fixed versions. The NVD record also references Mozilla Bugzilla and four Mozilla security advisories.

Official resources