Skip to main content
CVE-2025-11721 CRITICAL PATCH Act Now

Remote code execution in Mozilla Firefox 143 and Thunderbird 143 allows unauthenticated network attackers to execute arbitrary code via memory corruption. The vulnerability stems from a memory safety bug (CWE-119 buffer overflow) exploitable without user interaction. CVSS score of 9.8 reflects critical severity with network-based attack vector, low complexity, and no privileges required. Vendor-released patches are available in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, though Mozilla's assessment indicates the memory corruption is presumed exploitable with sufficient effort.

Mozilla RCE Buffer Overflow Thunderbird Red Hat +1
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-11719 CRITICAL PATCH Act Now

Use-after-free memory corruption in Mozilla Thunderbird 143+ and Firefox allows remote code execution via malicious web extensions exploiting the native messaging API on Windows. CVSS 9.8 (critical) with network-based attack vector requiring no user interaction or authentication. Patched in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, but CVSS metrics indicate high exploitability (AV:N/AC:L/PR:N/UI:N) with complete impact to confidentiality, integrity, and availability.

Memory Corruption Use After Free Buffer Overflow Mozilla Microsoft +3
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-11710 CRITICAL PATCH Act Now

Information disclosure in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to extract privileged browser process memory via malicious IPC messages from a compromised web content process. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. CVSS 9.8 indicates network-exploitable with no auth required, though actual exploitation requires first compromising a web content process. Vendor-released patches available (Firefox 144, Firefox ESR 115.29/140.4, Thunderbird 144/140.4). No public exploit identified at time of analysis; EPSS data not provided.

Mozilla Information Disclosure Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-11709 CRITICAL PATCH Act Now

Out-of-bounds memory corruption in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to achieve code execution via malicious WebGL texture operations. A compromised web content process can exploit manipulated WebGL textures to trigger out-of-bounds reads and writes in privileged browser processes, potentially leading to full system compromise. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. Vendor-released patches available across all affected product lines. CVSS 9.8 reflects network-accessible, no-authentication-required attack with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the specific Bugzilla reference (1989127) indicates detailed technical analysis exists.

Memory Corruption Mozilla Buffer Overflow Thunderbird Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-11708 CRITICAL PATCH Act Now

Remote code execution in Mozilla Firefox (all versions prior to 144, ESR prior to 140.4) and Thunderbird (all versions prior to 144, ESR prior to 140.4) allows unauthenticated remote attackers to execute arbitrary code, disclose sensitive information, or cause denial of service through a use-after-free vulnerability in MediaTrackGraphImpl::GetInstance(). With a critical CVSS score of 9.8 and no authentication required, this memory corruption flaw represents a severe security risk. No public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Memory Corruption Mozilla Use After Free Information Disclosure Thunderbird +2
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-10610 CRITICAL Act Now

Blind SQL injection in SFS Consulting's Winsure platform (all versions through the 21.08.2025 release) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The flaw carries a CVSS 9.8 rating reflecting network-reachable, low-complexity exploitation with no privileges or user interaction required, and no public exploit identified at time of analysis. The advisory was issued by Turkey's national CERT (USOM), suggesting regional relevance to Turkish insurance-sector deployments.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-11717 CRITICAL PATCH Act Now

Firefox for Android leaks password-related screen content through the Android task switcher card carousel, exposing sensitive information to local attackers with physical or remote access to the device. Affects Firefox for Android versions prior to 144. No public exploit identified at time of analysis, but exploitation is trivial requiring only device access and standard OS features. CVSS 9.1 reflects the unauthenticated network attack vector, though real-world exploitation typically requires local device access, making the practical risk moderate for most threat models.

Mozilla Google Information Disclosure Suse
NVD
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy