Skip to main content

Mozilla Firefox EUVD-2026-37106

| CVE-2026-12315 CRITICAL
Protection Mechanism Failure (CWE-693)
2026-06-16 mozilla GHSA-9j9w-q224-vc26
Authentication Bypass Mozilla
9.1
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.3 CRITICAL

Browser bug triggered by loading attacker content (UI:R), bypassing same-origin protections (S:C) to read and tamper with other origins' data (C:H/I:H); no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 20:22 vuln.today
CVSS changed
Jun 16, 2026 - 20:22 NVD
9.1 (CRITICAL)
CVE Published
Jun 16, 2026 - 11:52 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Articles & Coverage 1

News Critical Security Mitigation Bypass in Mozilla Firefox - CVE-2026-12315 Jun 16, 2026

AnalysisAI

Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious web content
Delivery
Victim browser loads page
Exploit
Crafted DOM operation evades security check
Execution
Cross-origin protection bypassed
Impact
Sensitive data read or modified across origins
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim must be running Firefox before version 152 or Firefox ESR before 140.12 with the DOM: Security component active (it is on by default - there is no setting to disable it), and must load attacker-controlled web content in that browser, either by direct navigation or via an embedded resource such as an iframe, advertisement, or compromised third-party script. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) describes a network-reachable, low-complexity, unauthenticated bypass with high confidentiality and integrity impact and no availability impact - consistent with a browser flaw triggered by visiting a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page (or compromises a third-party ad/script loaded by a legitimate site) that issues DOM operations crafted to evade the patched security check, allowing the attacker's origin to read data from or tamper with content belonging to another origin the victim is logged into. Because CVSS rates UI:N and AC:L, merely loading the page - for example via a malvertising redirect - is sufficient to trigger the bypass. …
Remediation Vendor-released patch: upgrade to Firefox 152 or Firefox ESR 140.12, both of which contain the fix per the Mozilla Foundation Security Advisories at https://www.mozilla.org/security/advisories/mfsa2026-57/ and mfsa2026-58/ (with related details at mfsa2026-60/ and mfsa2026-61/). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory Firefox deployments, notify affected users, restrict Firefox usage to internal networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49980 CRITICAL
9.8 Jun 16

Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2

CVE-2026-12304 CRITICAL
9.1 Jun 16

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox

CVE-2026-12316 CRITICAL
9.1 Jun 16

Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attacker
CVE-2026-12289 HIGH
8.8 Jun 16

Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileg
CVE-2026-45173 HIGH
8.4 Jun 11

Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior t

Share

EUVD-2026-37106 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy