Firefox and Thunderbird: Malicious Web Pages Can Access Local Files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

Firefox and Thunderbird: Malicious Web Pages Can Access Local Files

CVE-2026-2790

Summary

Certain versions of Firefox and Thunderbird allow malicious web pages to access local files, which could lead to data theft or other security risks. This affects users who haven't updated to the latest versions. To fix this, update to the latest version of Firefox or Thunderbird to ensure you have the latest security patches.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mozilla	firefox	<= 140.8.0	–
mozilla	firefox	<= 148.0	–
mozilla	thunderbird	<= 140.8.0	–
mozilla	thunderbird	<= 148.0	–

Original title

Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

Original description

Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

nvd CVSS3.1 9.8

Vulnerability type

CWE-346

https://bugzilla.mozilla.org/show_bug.cgi?id=2008426 Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2026-13/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-15/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-16/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-17/ Vendor Advisory

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026