{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3846", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-09T19:33:22.195Z", "datePublished": "2026-03-10T15:03:50.043Z", "dateUpdated": "2026-04-13T13:54:04.223Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "148.0.2", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2."}]}], "title": "Same-origin policy bypass in the CSS Parsing and Computation component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018400"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-19/"}], "credits": [{"lang": "en", "value": "Jun Yang"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:04.223Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "CWE-346 Origin Validation Error"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T17:45:04.547350Z", "id": "CVE-2026-3846", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:47:41.548Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T17:45:04.547350Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:44:03.112Z"}}], "cna": {"title": "Same-origin policy bypass in the CSS Parsing and Computation component", "credits": [{"lang": "en", "value": "Jun Yang"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "148.0.2", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018400"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-19/"}], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.", "supportingMedia": [{"type": "text/html", "value": "Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:04.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3846", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:54:04.223Z", "dateReserved": "2026-03-09T19:33:22.195Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-10T15:03:50.043Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "30996A31-AEAC-4DDF-8B3A-A24A6EFB1728", "versionEndExcluding": "148.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2."}, {"lang": "es", "value": "Elusi\u00f3n de la pol\u00edtica del mismo origen en el componente de an\u00e1lisis y c\u00e1lculo de CSS. Esta vulnerabilidad afecta a Firefox < 148.0.2."}], "id": "CVE-2026-3846", "lastModified": "2026-04-13T15:17:34.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-10T18:19:05.673", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018400"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-19/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,148.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-15T16:41:17.486158+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 148.0.2 or newer.", "Deploy the updated Firefox package across all managed devices.", "Monitor browser logs for unexpected CSS parsing errors that may signal exploitation attempts."], "summary": {"action": "Patch promptly", "impact": "Same-origin policy bypass"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox versions earlier than 148.0.2 are affected. All builds of Firefox that match the Mozilla:Firefox product entry are vulnerable until the 148.0.2 release applies the fix.", "description_and_impact": "The vulnerability stems from a flaw in Firefox\u2019s CSS parsing and computation component that allows a malicious website to bypass the same-origin policy. Based on the description, it is inferred that an attacker may read or modify resources that should be protected by cross-origin restrictions, potentially compromising the confidentiality or integrity of user data. The weakness is classified as CWE\u2011346, indicating an access control violation inherent in the browser\u2019s handling of CSS.", "risk_and_exploitability": "The CVSS base score of 6.5 denotes a moderate risk level. The EPSS score of less than 1% indicates that, as of now, the probability of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a web page that a user visits, delivering specially crafted CSS that triggers the bypass. Successful exploitation would occur entirely in the victim\u2019s browser without any additional user interaction beyond normal browsing."}}}}, "created": "2026-03-11T11:50:04.700435+00:00", "updated": "2026-04-15T17:00:07.026866+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}