Login Sign Up

CVE-2026-0888

5.3 MEDIUM

📋 TL;DR

This CVE describes an information disclosure vulnerability in the XML component of Firefox and Thunderbird. It allows attackers to potentially access sensitive data from affected browsers. Users running Firefox or Thunderbird versions below 147 are affected.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 147, Thunderbird < 147
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate sensitive user data including passwords, cookies, session tokens, or other confidential information from the browser's memory or storage.

🟠

Likely Case

Limited information disclosure of non-critical data from XML processing operations, potentially exposing some user data or system information.

🟢

If Mitigated

Minimal impact with proper network segmentation and browser security settings, though some information leakage may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation likely requires user interaction such as visiting a malicious website or opening a crafted email/attachment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 147, Thunderbird 147

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-01/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 147 or higher. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript for untrusted sites

all

Reduces attack surface by preventing malicious scripts from exploiting the XML vulnerability

Use content security policies

all

Implement CSP headers to restrict XML data sources

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement network segmentation to isolate vulnerable browsers from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird dialog. If version is below 147, system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is 147 or higher in About dialog after update and restart.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • Multiple failed XML requests from single IP
  • Unexpected data exfiltration patterns

Network Indicators:

  • Suspicious XML payloads in HTTP traffic
  • Unusual outbound data transfers after XML processing

SIEM Query:

source="firefox.log" OR source="thunderbird.log" AND (event="xml_error" OR event="parse_error")

📊 Metadata

CVE ID: CVE-2026-0888
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.04% exploit probability (12.3th percentile)
Published: January 13, 2026
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0888, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)