CVE-2026-2790

Received Received - Intake

Same-Origin Policy Bypass in Firefox Networking JAR Component

Publication date: 2026-02-24

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description

Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-24

Last Modified

2026-04-13

Generated

2026-06-16

AI Q&A

2026-02-24

EPSS Evaluated

2026-06-14

NVD

CVE-2026-2790

Affected Vendors & Products

Vendor	Product	Version / Range
mozilla	firefox	to 148.0 (exc)
mozilla	thunderbird	to 148.0 (exc)
mozilla	thunderbird	to 140.8.0 (exc)
mozilla	firefox	to 140.8.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-346	The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

Executive Summary

This vulnerability is a same-origin policy bypass in the Networking: JAR component of Firefox. It affects Firefox versions earlier than 148 and Firefox ESR versions earlier than 140.8.

Impact Analysis

I don't know

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-2790. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-2790

Same-Origin Policy Bypass in Firefox Networking JAR Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart