What is the CVSS score of CVE-2026-5735?

CVE-2026-5735 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Mozilla are affected by CVE-2026-5735?

Mozilla Firefox versions prior to 149.0.2 contain critical remote code execution vulnerabilities stemming from memory safety defects that allow unauthenticated attackers to execute arbitrary code…. A patch is available.

Mozilla CVE-2026-5735

Q: How to fix or mitigate CVE-2026-5735?

Within 24 hours: Inventory all Firefox installations and identify systems running versions prior to 149.0.2. Within 7 days: Deploy Firefox 149.0.2 or later across all affected endpoints using your standard patch management process; verify Thunderbird 149.0.1 patch status with Mozilla before deployment. Within 30 days: Conduct post-patch verification to confirm all Firefox instances are at 149.0.2 or later and implement automated update enforcement to prevent regression.

EUVD-2026-19616 CRITICAL

Out-of-bounds Write (CWE-787)

2026-04-07 mozilla

RCE Buffer Overflow Memory Corruption Mozilla

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:45 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

149.0.2

EUVD ID Assigned

Apr 07, 2026 - 13:00 euvd

EUVD-2026-19616

Analysis Generated

Apr 07, 2026 - 13:00 vuln.today

CVE Published

Apr 07, 2026 - 12:43 nvd

CRITICAL 9.8

DescriptionNVD

Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2.

AnalysisAI

Remote code execution in Mozilla Firefox versions prior to 149.0.2 stems from multiple memory safety bugs allowing unauthenticated network attackers to execute arbitrary code without user interaction. Mozilla confirmed memory corruption evidence across affected versions (Firefox 149.0.1 and Thunderbird 149.0.1), though Thunderbird patch status remains unconfirmed. …

RemediationAI

Within 24 hours: Inventory all Firefox installations and identify systems running versions prior to 149.0.2. Within 7 days: Deploy Firefox 149.0.2 or later across all affected endpoints using your standard patch management process; verify Thunderbird 149.0.1 patch status with Mozilla before deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

Vendor StatusVendor

CVE-2026-5735 vulnerability details – vuln.today

Back

Mozilla CVE-2026-5735

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code