Skip to main content

Firefox CVE-2026-6768

| EUVD-2026-24109 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-21 mozilla GHSA-q5x7-w9rr-q429
Authentication Bypass Red Hat Mozilla Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 29, 2026 - 02:30 nvd
Patch available
Analysis Updated
Apr 22, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVSS changed
Apr 21, 2026 - 17:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 21, 2026 - 13:15 euvd
EUVD-2026-24109
Analysis Generated
Apr 21, 2026 - 13:15 vuln.today
CVE Published
Apr 21, 2026 - 12:41 nvd
CRITICAL 9.8

DescriptionNVD

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150.

AnalysisAI

Authentication bypass in Firefox's cookie-handling mechanism allows remote unauthenticated attackers to bypass security controls via network requests, achieving full confidentiality, integrity, and availability compromise. Affects Firefox versions prior to 150. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Firefox installations organization-wide and document current versions. Within 7 days: Apply Mozilla patches referenced in security advisories MFSA2026-30 and MFSA2026-33, prioritizing Firefox versions prior to 150; verify installations reach version 150 or later. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-6768 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy