CVE-2025-5266

Published: May 27, 2025Modified: Jun 17, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Affected (2)

Products: Mozilla: Firefox

Mozilla

1 product

Firefox

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 139.0
Mozilla Firefox	Before 128.11.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (7)

https://bugzilla.mozilla.org/show_bug.cgi?id=1965628

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2025-42/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-44/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-45/

Source: security@mozilla.org

https://www.mozilla.org/security/advisories/mfsa2025-46/

Source: security@mozilla.org

https://lists.debian.org/debian-lts-announce/2025/05/msg00043.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.