Spoofing Vulnerability in Mozilla Firefox WebExtensions
CVE-2026-8960

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Firefox; Thunderbird
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8960?

A spoofing vulnerability has been identified in the WebExtensions framework of Mozilla Firefox, allowing attackers to craft malicious extensions that might misrepresent themselves. This flaw poses a risk as it could lead to user deception and potentially unauthorized actions performed by the affected browser. The issue has been addressed in version 151 of Firefox, highlighting the importance of keeping software up to date to mitigate such vulnerabilities.

Affected Version(s)

Firefox 151

Thunderbird 151

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1940116

https://www.mozilla.org/security/advisories/mfsa2026-46/

https://www.mozilla.org/security/advisories/mfsa2026-50/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Kanaru Sato

CVE-2026-8960 Data

JSON