Skip to main content
CVE-2025-8043 CRITICAL POC PATCH Act Now

Firefox and Thunderbird URL truncation flaw enables spoofing attacks by displaying misleading origins in the address bar. Affects all Firefox versions prior to 141 and corresponding Thunderbird releases. Attackers can craft URLs that hide the true destination, tricking users into visiting malicious sites. Publicly available exploit code exists. CVSS 9.8 critical rating reflects network-based attack requiring no authentication, though real-world exploitation requires social engineering (user interaction despite UI:N vector).

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-4285 CRITICAL Act Now

SQL injection in Rolantis Information Technologies Agentis versions prior to 4.32 allows remote unauthenticated attackers to inject arbitrary SQL commands with scope change, enabling full compromise of confidentiality, integrity, and availability (CVSS 10.0). The flaw was reported by Turkey's national CERT (USOM) and carries no public exploit identified at time of analysis, though the maximum CVSS score and trivial attack profile make this a high-priority patch despite the modest EPSS of 0.24%.

SQLi
NVD VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-8044 CRITICAL PATCH Act Now

Memory corruption in Firefox 140 and Thunderbird 140 enables remote code execution without authentication. Mozilla confirmed multiple memory safety bugs with evidence of corruption, collectively presumed exploitable for arbitrary code execution. Fixed in Firefox 141 and Thunderbird 141. CVSS 9.8 critical severity with network-accessible attack vector requiring no user interaction. EPSS data not provided; no public exploit identified at time of analysis.

Mozilla RCE Buffer Overflow Thunderbird Red Hat +1
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8038 CRITICAL PATCH Act Now

Frame navigation validation bypass in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to violate security boundaries due to improper path checking (CWE-345). Affects Firefox <141, Firefox ESR <140.1, Thunderbird <141, and Thunderbird ESR <140.1. The CVSS 9.8 critical score reflects network-based exploitation with no user interaction required, enabling potential unauthorized access, data manipulation, and service disruption. No public exploit identified at time of analysis, though the network attack vector (AV:N) and low complexity (AC:L) suggest straightforward exploitation once technical details emerge.

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8031 CRITICAL PATCH Act Now

HTTP Basic Authentication credentials leak in Mozilla Firefox and Thunderbird via Content Security Policy (CSP) violation reports affects all versions prior to Firefox 141, Firefox ESR 128.13/140.1, and Thunderbird 141/128.13/140.1. When CSP violations occur on pages using HTTP Basic Auth, the browser incorrectly includes username:password in the violation report URL sent to the CSP report endpoint, exposing credentials to potentially untrusted third parties. With CVSS 9.8 and network-based unauthenticated attack vector (AV:N/AC:L/PR:N), this represents a critical credential disclosure vulnerability, though no public exploit or active exploitation (non-KEV) is confirmed at time of analysis.

Mozilla Privilege Escalation Thunderbird Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8028 CRITICAL PATCH Act Now

WebAssembly JIT compiler on ARM64 architectures incorrectly calculates branch addresses when processing WASM br_table instructions with numerous entries, enabling remote code execution in Firefox <141, Firefox ESR <115.26/128.13/140.1, and Thunderbird <141/128.13/140.1. The vulnerability requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), allowing network-based attackers to potentially execute arbitrary code through malicious WASM content. Vendor-released patches are available across all affected product lines. No public exploit identified at time of analysis, though the CVSS 9.8 critical rating reflects the theoretical severity of unauthenticated remote code execution.

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-8037 CRITICAL PATCH Act Now

Cookie shadowing in Mozilla Firefox (versions prior to 141 and ESR prior to 140.1) and Thunderbird (versions prior to 141 and ESR prior to 140.1) allows remote unauthenticated attackers to bypass Secure cookie protections and access or modify session data. A nameless cookie containing an equals sign set over insecure HTTP can override cookies with the Secure attribute, enabling session hijacking or authentication bypass. No public exploit identified at time of analysis, though the attack complexity is low (CVSS AC:L) with network-based attack vector requiring no user interaction.

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy