{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6760", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:54.751Z", "datePublished": "2026-04-21T12:40:55.131Z", "dateUpdated": "2026-04-21T23:34:52.712Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}]}], "title": "Mitigation bypass in the Networking: Cookies component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016923"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "credits": [{"lang": "en", "value": "Richard Belisle"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:52.712Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}], "id": "CVE-2026-6760", "lastModified": "2026-04-22T00:16:32.047", "metrics": {}, "published": "2026-04-21T13:16:21.950", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016923"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T03:17:04.691292+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 150 or a newer release that contains the fix for the Networking: Cookies component.", "Temporarily disable third\u2011party cookies to mitigate the impact while the patch is applied.", "Ensure that any installed add\u2011ons are updated or disabled if they could influence cookie handling behavior."], "summary": {"action": "Apply Patch", "impact": "Cookie Mitigation Bypass"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox products are affected. Versions before 150 lack the fix, while Firefox 150 and later incorporate the patch. All platforms running these vulnerable versions of Firefox are potentially impacted.", "description_and_impact": "The vulnerability allows a malicious website or script to bypass the cookie mitigation policies implemented in Firefox's Networking: Cookies component. By circumventing these restrictions, an attacker could set or read cookies that should be blocked, potentially enabling session hijacking, cross\u2011site request forgery, or other credential theft techniques. No CVSS score is provided, so the exact severity is unclear, but the ability to override cookie policies suggests a significant impact on confidentiality and integrity of user authentication data.", "risk_and_exploitability": "The EPSS metric is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers would likely need to supply malicious web content that exploits the cookie processing flow; this can occur through normal browser usage, indicating a usable path for exploitation. Although no official CVSS score is cited, the nature of bypassing cookie mitigations points to moderate to high risk, especially in environments where strict cookie policies are required."}}}}, "created": "2026-04-21T16:45:15.077210+00:00", "updated": "2026-04-22T03:30:06.680666+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"], "weaknesses": ["CWE-284"]}