CVE-2026-8964 Mozilla CVE debrief

Who should care

Organizations and individuals running Mozilla Firefox or Thunderbird versions earlier than 151.0.0 should care most, especially where browser or mail-client trust decisions matter.

Technical summary

The official record describes a spoofing issue in the Popup Blocker component. NVD lists the weakness as CWE-451 and scores the issue CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating a remotely reachable integrity-impacting problem with no confidentiality or availability impact recorded. The vulnerable CPE criteria in NVD apply to Firefox and Thunderbird versions before 151.0.0.

Defensive priority

High for affected deployments. The combination of network reachability, no required privileges, and integrity impact makes version remediation a priority, even though the source corpus does not describe availability or confidentiality impact.

Recommended defensive actions

• Upgrade Firefox to 151 or later.
• Upgrade Thunderbird to 151 or later.
• Confirm deployed Firefox and Thunderbird versions are not below 151.0.0.
• Use the Mozilla advisories to validate remediation status in your environment.
• Track endpoint and software inventory for any lingering affected installations.

Evidence notes

This debrief is based only on the supplied NVD record and Mozilla reference links. The source corpus shows affected versions ending before 151.0.0 for Firefox and Thunderbird, and it does not include exploit details or a KEV designation. CVE timing is taken from the provided published and modified timestamps.

Official resources