CVE-2026-6774
Published: 21 April 2026
Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.
Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.
Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.
Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.
The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.
Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.
Impact analysis identifies changes that could weaken or disable existing protection mechanisms.
Security SummaryAI
CVE-2026-6774 is a mitigation bypass vulnerability in the DOM Security component of Mozilla Firefox and Thunderbird. It affects versions prior to Firefox 150 and Thunderbird 150, where attackers can circumvent security protections in the Document Object Model handling. The issue is classified under CWE-693 (Protection Mechanism Failure) with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating medium severity due to network accessibility, low attack complexity, and limited impact on confidentiality and integrity.
Exploitation requires a low-privileged attacker (PR:L) with network access to deliver a malicious payload, combined with user interaction (UI:R), such as clicking a link or engaging with crafted content. Successful exploitation changes the scope (S:C) to allow limited disclosure of sensitive information (C:L) or modification of data (I:L) within the browser or email client context, bypassing intended DOM security mitigations without impacting availability.
Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) confirm the fix in Firefox 150 and Thunderbird 150, recommending immediate upgrades to patched versions. Additional details are available in Bugzilla ticket 2016915.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Browser DOM mitigation bypass directly enables client-side exploitation (T1203) via malicious links or crafted web content (T1204.001, T1189 drive-by).