CVE-2026-8963 Mozilla CVE debrief

Who should care

Security teams, endpoint administrators, and IT operations teams managing Firefox or Thunderbird deployments should prioritize this advisory, especially systems still running versions earlier than 151.0.0.

Technical summary

NVD classifies the flaw as a remotely reachable spoofing issue in the Web Speech component with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating no privileges or user interaction are required and the main impact is on integrity. NVD also maps the weakness to CWE-290 and marks Firefox and Thunderbird versions prior to 151.0.0 as vulnerable.

Defensive priority

High — the issue is network-reachable, requires no privileges or user interaction, and can materially affect integrity, so patching should be prioritized.

Recommended defensive actions

• Upgrade Firefox to 151 or later on all affected systems.
• Upgrade Thunderbird to 151 or later on all affected systems.
• Inventory deployments to identify any Firefox or Thunderbird instances below version 151.0.0.
• Track Mozilla security advisories and validate remediation against the official advisory references.

Evidence notes

All facts in this debrief come from the supplied NVD record and Mozilla reference links. The NVD metadata lists the affected CPE ranges as Firefox and Thunderbird before 151.0.0, the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, and the weakness as CWE-290. Mozilla’s advisory and Bugzilla references are included in the source corpus, but no additional advisory text was supplied.

Official resources