CVE-2026-6760

Critical

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely patching of known flaws like CVE-2026-6760, fixed in Firefox 150 and Thunderbird 150, to prevent exploitation of the cookie mitigation bypass.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Requires vulnerability scanning to identify systems running vulnerable Firefox or Thunderbird versions prior to 150 affected by the cookie handling bypass.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Ensures dissemination of security advisories like MFSA2026-30 and MFSA2026-33 to prompt remediation of CVE-2026-6760.

Security SummaryAI

CVE-2026-6760 is a mitigation bypass vulnerability (CWE-288) in the Networking: Cookies component of Mozilla Firefox and Thunderbird. It affects versions prior to Firefox 150 and Thunderbird 150, where the issue was fixed. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to bypass security mitigations related to cookie handling in networking operations.

Mozilla's security advisories MFSA2026-30 and MFSA2026-33 detail the patch, which was implemented in Firefox 150 and Thunderbird 150. Additional technical information is available in Bugzilla bug 2016923.

Details

CWE(s): CWE-288

Affected Products

mozilla

firefox

≤ 150.0

mozilla

thunderbird

≤ 150.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Remote unauthenticated browser vulnerability with no user interaction and high C/I/A impact directly enables client-side exploitation (T1203). Cookie handling mitigation bypass facilitates improper use of web session cookies for authentication (T1550.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2016923
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org