{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6763", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:57.216Z", "datePublished": "2026-04-21T12:40:57.591Z", "dateUpdated": "2026-04-21T23:34:56.036Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}]}], "title": "Mitigation bypass in the File Handling component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2021666"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "credits": [{"lang": "en", "value": "Tomoya Nakanishi"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:56.036Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:12:14.804188Z", "id": "CVE-2026-6763", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:12:19.161Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6763", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:12:14.804188Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:12:02.113Z"}}], "cna": {"title": "Mitigation bypass in the File Handling component", "credits": [{"lang": "en", "value": "Tomoya Nakanishi"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.10", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.10", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2021666"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "value": "Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:56.036Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6763", "state": "PUBLISHED", "dateUpdated": "2026-04-21T23:34:56.036Z", "dateReserved": "2026-04-21T12:40:57.216Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:40:57.591Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}], "id": "CVE-2026-6763", "lastModified": "2026-04-22T00:16:32.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:22.227", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2021666"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[140.10,140.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T03:15:31.368093+00:00", "value": {"mitigation_remediation": ["Upgrade all Firefox installations to version 150 or later.", "Verify that any browser extensions potentially interacting with file handling are updated or disabled until a patch is applied.", "Adjust Firefox's security settings to restrict file downloads and openings, such as enabling the 'Warn before opening files' option, until the official update is applied."], "summary": {"action": "Immediate Patch", "impact": "Security Control Bypass"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox users running any version prior to 150 on the mainline channel, or any ESR releases earlier than 140.10, are affected. The vulnerability is present in all builds of these versions and is not limited to specific modules or extensions.", "description_and_impact": "A vulnerability has been identified in the File Handling component of Firefox, allowing a mitigation bypass. The flaw permits an attacker to circumvent built\u2011in safety checks that are intended to prevent unsafe file operations or data input from influencing program behavior. Bypassing these mitigations can potentially increase the attack surface and permit the exploitation of other, more serious vulnerabilities that rely on the integrity of the filesystem handling logic.", "risk_and_exploitability": "No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The risk remains for systems that have not applied the official fix. Since the flaw is a direct bypass of security mitigations, it is considered serious for any unpatched installation. The lack of publicly known exploits does not diminish the need for remediation, as the vulnerability can be leveraged to facilitate further attacks once the mitigations are subverted."}}}}, "created": "2026-04-21T17:00:11.951565+00:00", "updated": "2026-04-22T03:30:06.679051+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"], "weaknesses": ["CWE-284"]}