Skip to main content

Mozilla Firefox CVE-2026-6771

| EUVD-2026-24112 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-21 mozilla GHSA-88fc-5m2g-g6q2
Authentication Bypass Red Hat Mozilla Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 29, 2026 - 02:30 nvd
Patch available
Analysis Updated
Apr 22, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 20:25 vuln.today
CVSS changed
Apr 21, 2026 - 20:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 21, 2026 - 13:15 euvd
EUVD-2026-24112
Analysis Generated
Apr 21, 2026 - 13:15 vuln.today
CVE Published
Apr 21, 2026 - 12:41 nvd
CRITICAL 9.8

DescriptionNVD

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

AnalysisAI

DOM security mitigation bypass in Mozilla Firefox allows remote unauthenticated attackers to completely compromise browser security, achieving high confidentiality, integrity, and availability impact. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Firefox deployments via asset inventory and disable Firefox or restrict to critical business sites only; communicate incident to all users. Within 7 days: Distribute Firefox version 150 or Firefox ESR 140.10 or later via patch management; verify deployment across all endpoints. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-6771 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy