Is Mozilla affected by CVE-2026-5731?

Mozilla Firefox and Thunderbird contain critical remote code execution vulnerabilities (CVSS 9.8) exploitable by unauthenticated attackers without user interaction, creating immediate risk to any organization whose users operate these browsers or email clients.

CVE-2026-5731

Q: How to fix CVE-2026-5731?

Within 24 hours: Identify all Firefox and Thunderbird installations across the enterprise using asset inventory tools; disable auto-update features to prevent incomplete patching; communicate to end-users not to use affected versions for critical tasks. Within 7 days: Establish daily vendor monitoring for patch release (expected versions: Firefox 149.0.2+, Firefox ESR 115.34.1+, Firefox ESR 140.9.1+); prepare rapid deployment procedures. Within 30 days: Deploy mandatory patches to all Firefox and Thunderbird instances immediately upon vendor release; prioritize systems handling sensitive data.

EUVD-2026-19610 CRITICAL

2026-04-07 mozilla

GHSA-fwrw-mfrr-q8px

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 07, 2026 - 13:00 vuln.today

EUVD ID Assigned

Apr 07, 2026 - 13:00 euvd

EUVD-2026-19610

CVE Published

Apr 07, 2026 - 12:43 nvd

CRITICAL 9.8

Description

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2, Firefox ESR < 115.34.1, and Firefox ESR < 140.9.1.

Analysis

Remote code execution in Mozilla Firefox and Thunderbird via memory corruption vulnerabilities allows unauthenticated remote attackers to execute arbitrary code without user interaction. Affects Firefox <149.0.2, Firefox ESR <115.34.1, and Firefox ESR <140.9.1 across desktop platforms. …

Remediation

Within 24 hours: Identify all Firefox and Thunderbird installations across the enterprise using asset inventory tools; disable auto-update features to prevent incomplete patching; communicate to end-users not to use affected versions for critical tasks. Within 7 days: Establish daily vendor monitoring for patch release (expected versions: Firefox 149.0.2+, Firefox ESR 115.34.1+, Firefox ESR 140.9.1+); prepare rapid deployment procedures. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

CVE-2026-5731 vulnerability details – vuln.today

Back

CVE-2026-5731

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-5731

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code