CVE-2026-0890
DOM Spoofing Vulnerability in Firefox Copy-Paste and Drag-Drop
Publication date: 2026-01-13
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | to 147 (exc) |
| mozilla | firefox_esr | to 140.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a spoofing issue in the Document Object Model (DOM) related to the Copy & Paste and Drag & Drop components in Firefox versions before 147 and Firefox ESR before 140.7. It allows attackers to bypass existing security mitigations within the DOM, potentially enabling unauthorized actions or exploitation within the browser environment. [2]
How can this vulnerability impact me? :
The vulnerability can allow attackers to circumvent security measures in the browser's DOM, which may lead to unauthorized actions or exploitation such as spoofing attacks. This could compromise the integrity of user interactions like Copy & Paste and Drag & Drop, potentially leading to misleading or malicious content being executed or displayed. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Firefox to version 147 or later, or Firefox ESR to version 140.7 or later, where the issue has been fixed as part of security updates addressing this and other vulnerabilities. [1, 2]