CVE-2026-3846Origin Validation Error in Mozilla Firefox

CWE-346Origin Validation ErrorCWE-470Unsafe Reflection10 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 95.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedMar 10
Latest updateMar 24

Description

Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 148.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDmozilla/firefox< 148.0.2

🔴Vulnerability Details

6
GHSA
Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior2026-03-24
GHSA
Craft CMS vulnerable to behavior injection RCE via EntryTypesController2026-03-16
GHSA
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController2026-03-16
OSV
CVE-2026-3846: Same-origin policy bypass in the CSS Parsing and Computation component2026-03-10
CVEList
Same-origin policy bypass in the CSS Parsing and Computation component2026-03-10

📋Vendor Advisories

2
Debian
CVE-2026-3846: firefox - Same-origin policy bypass in the CSS Parsing and Computation component. This vul...2026
Mozilla
Mozilla Foundation Security Advisory 2026-19: CVE-2026-3846

🕵️Threat Intelligence

1
Wiz
CVE-2026-3846 Impact, Exploitability, and Mitigation Steps | Wiz