{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0890", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-01-13T13:30:58.912Z", "datePublished": "2026-01-13T13:30:59.089Z", "dateUpdated": "2026-04-13T13:52:07.852Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "147", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}]}], "title": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005081"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "credits": [{"lang": "en", "value": "Edgar Chen"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:52:07.852Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T15:30:33.018220Z", "id": "CVE-2026-0890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T15:30:48.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T15:30:33.018220Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T20:31:18.521Z"}}], "cna": {"title": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component", "credits": [{"lang": "en", "value": "Edgar Chen"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "147", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005081"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:52:07.852Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0890", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:52:07.852Z", "dateReserved": "2026-01-13T13:30:58.912Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-01-13T13:30:59.089Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "A2FC50B3-5A36-4702-8CF6-CC732E3B148B", "versionEndExcluding": "140.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1", "versionEndExcluding": "147.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D", "versionEndExcluding": "140.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5", "versionEndExcluding": "147.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Problema de suplantaci\u00f3n en el DOM: componente de Copiar y Pegar y Arrastrar y Soltar. Esta vulnerabilidad afecta a Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 y Thunderbird < 140.7."}], "id": "CVE-2026-0890", "lastModified": "2026-04-13T15:17:18.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-13T14:16:39.523", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005081"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-01/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-04/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component", "id": "2428971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428971"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-0890", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-13T13:30:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0890\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0890\nhttps://www.mozilla.org/security/advisories/mfsa2026-03/#CVE-2026-0890"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-15T15:52:45.325013+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 147 or newer, or to Firefox ESR 140.7 or newer, and upgrade Thunderbird to version 147 or newer, or to Thunderbird ESR 140.7 or newer.", "If an immediate upgrade is impossible, limit or disable the copy, paste, and drag\u2011and\u2011drop capabilities in the affected applications through group policy or configuration to reduce the attack surface for user interaction.", "Provide users with guidance on recognizing and avoiding clipboard and drag\u2011and\u2011drop spoofing, such as verifying the source before pasting or dragging content into trusted applications."], "summary": {"action": "Assess Impact", "impact": "Spoofing"}, "threat_synthesis": {"affected_systems": "The issue affects Mozilla Firefox and Thunderbird. All versions prior to Firefox 147 and Firefox ESR 140.7, and Thunderbird 147 and Thunderbird ESR 140.7 are vulnerable. Subsequent releases are fixed.", "description_and_impact": "The vulnerability is a spoofing issue in the DOM copy and paste and drag\u2011and\u2011drop components. It allows an attacker to cause a user to believe that data came from a trusted source when it did not\u2014facilitating phishing, data manipulation, or social\u2011engineering attacks. The flaw arises from improper origin validation in the clipboard and drag event handling, corresponding to CWE\u2011290.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the KEV catalog and no public exploit is known. The attack vector appears to be local and user\u2011interactive, requiring a user to copy or drag content from a malicious source such as a compromised website or email attachment; exploitation relies on user interaction in addition to the technical flaw."}}}}, "created": "2026-01-14T11:09:16.739070+00:00", "updated": "2026-04-15T18:15:10.870809+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}