{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6760", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:54.751Z", "datePublished": "2026-04-21T12:40:55.131Z", "dateUpdated": "2026-04-21T23:34:52.712Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}]}], "title": "Mitigation bypass in the Networking: Cookies component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016923"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "credits": [{"lang": "en", "value": "Richard Belisle"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:52.712Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}], "id": "CVE-2026-6760", "lastModified": "2026-04-22T00:16:32.047", "metrics": {}, "published": "2026-04-21T13:16:21.950", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016923"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T10:09:15.709199+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 150 or newer to receive the fix for the Networking: Cookies component.", "Upgrade to Thunderbird 150 or newer to obtain the same patch.", "If a timely update is not possible, enforce stricter cookie policies\u2014such as disabling third\u2011party cookies or using enterprise policy to restrict cookie usage\u2014to reduce the window of exploitation.", "Ensure that any extensions or add\u2011ons that manipulate cookies are disabled or updated to avoid interference with the patch."], "summary": {"action": "Apply Patch", "impact": "Cookie Mitigation Bypass"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird versions prior to 150 are impacted. The fix is included in Firefox 150 and Thunderbird 150, so all installations running those or earlier releases are vulnerable.", "description_and_impact": "The description identifies a bypass of the cookie mitigation mechanisms within the Networking: Cookies component. This flaw permits an attacker to override or remove the intended cookie security controls. Based on the description, it is inferred that malicious web content could be crafted to exploit the cookie handling flow, potentially leading to session hijacking, cross\u2011site request forgery, or unauthorized access to authentication tokens. The consequences include compromise of user confidentiality and integrity of credentials.", "risk_and_exploitability": "The EPSS metric is not available, and the vulnerability is not listed in CISA's KEV catalog. Attackers would likely need to deliver malicious web pages or scripts that trigger the cookie processing logic; this is a usable path through normal browsing. No official CVSS score is provided, but bypassing cookie mitigations suggests a moderate to high risk, especially in environments that enforce stringent cookie policies."}}}}, "created": "2026-04-21T16:45:15.077210+00:00", "updated": "2026-04-22T10:15:14.512567+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"], "weaknesses": ["CWE-352"]}