CVE-2026-8950: Same-origin policy bypass in the Networking: HTTP component
Published May 19, 2026
·Updated
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Affected Software
8 affected componentsFixes available
Mozilla Firefox<151
151
Mozilla Firefox ESR<140.11
140.11
Mozilla Thunderbird<151
151
Mozilla Thunderbird<140.11
140.11
Mozilla Firefox<140.11.0
Mozilla Firefox<151.0.0
Mozilla Thunderbird<140.11
Mozilla Thunderbird<151.0.0
Event History
May 19, 2026
CVE Published
via Mozilla·12:00 AM
Data Sourced
via Mozilla·12:00 AM
DescriptionSeverityAffected Software
Updated
via Mozilla·12:00 AM
Affected Software
CVE Published
via MITRE·12:29 PM
Data Sourced
via MITRE·12:29 PM
Description
Data Sourced
via NVD·02:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-8950?
CVE-2026-8950 is classified as a moderate severity vulnerability.
2
How do I fix CVE-2026-8950?
To fix CVE-2026-8950, update your Firefox to version 151 or later or Thunderbird to version 151 or later.
3
What components are affected by CVE-2026-8950?
CVE-2026-8950 affects the Networking: HTTP component, specifically the same-origin policy.
4
Which versions of software are impacted by CVE-2026-8950?
CVE-2026-8950 impacts Firefox versions prior to 151, Firefox ESR prior to 140.11, and Thunderbird versions prior to 151.
5
Is CVE-2026-8950 applicable to older ESR versions?
Yes, CVE-2026-8950 is applicable to Firefox ESR versions prior to 140.11.