CVE-2026-8966 Mozilla CVE debrief

Who should care

Administrators and users running Mozilla Firefox or Thunderbird, especially on systems that may remain on versions older than 151.0.0. Security teams managing desktop application patching should prioritize this update because the issue affects confidentiality and is reachable over the network without privileges or user interaction.

Technical summary

NVD classifies CVE-2026-8966 as CWE-200 (Information Exposure). The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable issue with low attack complexity, no privileges required, no user interaction, and high confidentiality impact. NVD lists vulnerable CPEs for mozilla:firefox and mozilla:thunderbird with affected versions ending before 151.0.0. Mozilla’s referenced advisories and Bugzilla record are the official sources linked from the CVE entry.

Defensive priority

High. This is a high-severity confidentiality issue affecting widely used client software. Patch quickly if Firefox or Thunderbird is deployed in your environment, and confirm all installations are at 151.0.0 or later.

Recommended defensive actions

• Upgrade Firefox to version 151.0.0 or later.
• Upgrade Thunderbird to version 151.0.0 or later.
• Inventory endpoints and confirm no affected Firefox or Thunderbird versions remain below 151.0.0.
• Prioritize patching on devices that handle sensitive email or browsing data.
• Review Mozilla security advisories for any follow-on guidance and verify deployment completion.

Evidence notes

This debrief is based only on the supplied CVE record, NVD metadata, and Mozilla-linked references. The CVE was published on 2026-05-19 and modified on 2026-05-20. NVD lists the vulnerability as analyzed, assigns CWE-200, and records vulnerable Firefox and Thunderbird CPEs ending before 151.0.0. The official references provided are a Mozilla Bugzilla issue and Mozilla security advisories mfsa2026-46 and mfsa2026-50.

Official resources