CVE-2026-8965 Mozilla CVE debrief

Who should care

Organizations and individuals running Mozilla Firefox or Thunderbird versions earlier than 151.0.0 should treat this as relevant, especially where browser or mail-client data exposure would be sensitive. Security teams managing enterprise desktop fleets should prioritize deployment because the issue is network-reachable and impacts confidentiality.

Technical summary

The NVD record describes CVE-2026-8965 as an information disclosure flaw in the DOM security component, mapped to CWE-200. The published CVSS vector shows a network attack path, low complexity, no privileges required, no user interaction required, and high confidentiality impact. NVD’s CPE criteria mark Firefox and Thunderbird versions earlier than 151.0.0 as vulnerable, and Mozilla references associated bug and advisory records for the fix.

Defensive priority

High. The issue is rated CVSS 7.5 and can expose information without authentication or user interaction, so patching should be treated as urgent for exposed desktop and managed client populations.

Recommended defensive actions

• Upgrade Mozilla Firefox to version 151.0.0 or later.
• Upgrade Mozilla Thunderbird to version 151.0.0 or later.
• Confirm endpoint management tools are not holding back browser or mail-client updates.
• Review Mozilla security advisories for the affected release train and validate remediation coverage across all supported devices.

Evidence notes

Evidence is drawn from the NVD CVE record and its referenced Mozilla materials. NVD lists the vulnerability status as analyzed, identifies CWE-200, provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and marks Firefox and Thunderbird versions before 151.0.0 as vulnerable. The record also references a Mozilla bug entry and Mozilla security advisories as source material.

Official resources