Mozilla
Monthly
Memory exhaustion and denial-of-service across HTTP/2 server implementations allow remote unauthenticated attackers to crash or severely degrade affected services by intentionally stalling flow control using standard HTTP/2 protocol frames. Researched and reported by the Okta Red Team and coordinated through CERT/CC as VU#885548, this class of vulnerability is tracked across three CVEs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) affecting multiple vendor implementations including F5 BIG-IP. By advertising SETTINGS_INITIAL_WINDOW_SIZE=0 and withholding WINDOW_UPDATE frames across many simultaneous streams, an attacker forces vulnerable servers to buffer unbounded response data in memory with no ability to transmit it, leading to OOM kills, swap exhaustion, or connection and worker resource starvation. No public exploit code has been identified and no CISA KEV listing is present at time of analysis.
Memory exhaustion denial-of-service affects HTTP/2 server implementations that fail to cap buffered response data under stalled flow-control conditions. A remote unauthenticated attacker opens many simultaneous HTTP/2 streams while advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 or withholding WINDOW_UPDATE frames, forcing the server to accumulate unbounded in-memory response buffers it cannot transmit. Under permissive resource limits this can trigger OOM kills, swap exhaustion, and full system unresponsiveness; under tighter limits, connection and worker pool exhaustion degrades availability for legitimate clients. Reported 2026-07-16 by Okta Red Team and coordinated as CERT VU#885548 covering at least three CVE IDs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) across multiple vendor implementations. No public exploit code identified at time of analysis, and CISA KEV listing not confirmed.
Drive-by local filesystem exfiltration in FiftyOne versions below 1.17.0 allows any malicious website to silently read arbitrary files from a victim's machine. The FiftyOne App server unconditionally returns Access-Control-Allow-Origin: * on all responses, and the unauthenticated /media endpoint serves local filesystem files by path - together these let JavaScript on any visited webpage fetch files such as SSH keys, cloud credentials, or .env files from localhost:5151 and relay them to an attacker-controlled server. No public exploit (KEV or confirmed POC) is identified at time of analysis, but the attack requires no special tooling and is trivially reproducible in Safari and Firefox, which lack Private Network Access protections.
Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. When combined with long-domain URL eliding, this allows precise origin spoofing; no public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.3 reflects high subsequent-system integrity and confidentiality impacts despite the attack requiring user interaction.
Firefox versions prior to 152.0.6 are exposed to a network-exploitable flaw requiring user interaction that yields limited confidentiality and integrity impact within the browser context. Publicly available exploit code exists, confirmed by Mozilla's own advisory language, though the vendor reports no known attacks in the wild at time of disclosure. The fix is confirmed in Firefox 152.0.6, referenced in Mozilla security advisory MFSA2026-67.
Information disclosure in Mozilla Firefox via CWE-763 (Release of Invalid Pointer or Reference) allows network-based attackers to read limited memory contents from affected browser instances. All Firefox versions prior to 152.0.6 are affected. Publicly available exploit code exists, though Mozilla reports no confirmed attacks in the wild; user interaction is required to trigger the flaw, moderately reducing real-world exposure.
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.
Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.
Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical).
Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.
Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.
TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform man-in-the-middle attacks on HTTPS traffic routed through SOCKS5 proxies. The ProxyAgent silently drops the requestTls option (including ca, cert, key, rejectUnauthorized, and servername) when the proxy URI uses socks5:// or socks://, causing connections to fall back to Node.js's default Mozilla CA bundle instead of the application-configured trust anchor. No public exploit identified at time of analysis, but the CWE-295 improper certificate validation flaw directly defeats corporate CA pinning controls.
Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2 when started with `--rc-serve` and without HTTP authentication. A single GET or HEAD request to `/[remote:path]/object` triggers backend initialization with attacker-controlled inline remote options, executing commands as the rclone process user. No public exploit identified at time of analysis, though the GHSA advisory describes the technique in detail and notes the issue bypasses the earlier CVE-2026-41179 fix.
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.
Cookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intended for a target site during PDF request handling. The browser's PDF loading code path applied partial rather than exact-origin domain matching when deciding which cookies to attach, meaning a domain such as 'evilbank.com' could satisfy a suffix match against 'bank.com' and receive that site's cookies. No active exploitation is confirmed, but the SSVC framework rates this as automatable with partial technical impact, making it a credible session-hijacking vector for users on unpatched versions.
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12 and Firefox ESR 115.37.
Memory safety bug fixed in Firefox ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12.
Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.
Uncontrolled resource consumption in Mozilla Firefox's Graphics: ImageLib component allows remote attackers to crash or hang the browser by serving specially crafted image content to an unsuspecting user. All Firefox release-channel versions prior to 152 and both ESR tracks (prior to 140.12 and 115.37) are affected, exposing a broad install base across consumer and enterprise environments. No public exploit has been identified, SSVC rates exploitation as none with a non-automatable attack path, and KEV listing is absent - signals that collectively place this vulnerability at lower real-world priority despite a CVSS 6.5 score.
Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. Reported by Mozilla with low complexity and no authentication required (CVSS 7.3).
Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152.
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152.
Denial-of-service in Mozilla Firefox's Audio/Video Playback component allows a remote attacker to crash or render the browser unresponsive by delivering crafted media content to a victim. All Firefox releases prior to version 152 are affected per CPE coverage. No public exploit has been identified at time of analysis, and SSVC rates exploitation as none with partial technical impact, placing this in the moderate-priority tier rather than an emergency response category.
Memory corruption in the NSS (Network Security Services) Libraries component shipped with Mozilla Firefox allows remote attackers to trigger out-of-bounds memory access via incorrect boundary condition handling, with low impact across confidentiality, integrity, and availability. Mozilla addressed the issue in Firefox 152, with associated advisories MFSA2026-57 and MFSA2026-60. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Memory corruption in Mozilla Firefox versions prior to 152 allows remote unauthenticated attackers to crash the browser by serving crafted web content, resulting in denial of service. The CVSS 3.1 base score of 7.5 reflects high availability impact without confidentiality or integrity loss, and no public exploit identified at time of analysis. Mozilla disclosed the issue via advisories MFSA2026-57 and MFSA2026-60 with a fix shipped in Firefox 152.
Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity of browser-rendered content without user interaction. The flaw carries a critical CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged as an Authentication Bypass class issue, though no public exploit identified at time of analysis. The vulnerability has been patched by Mozilla in Firefox 152 per MFSA2026-57/MFSA2026-60.
Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. Given the CVSS 9.1 rating and network-reachable attack vector, any user browsing a malicious page is potentially exposed.
Memory corruption in Mozilla Firefox prior to version 152 and Firefox ESR prior to 140.12 allows remote attackers to compromise browser memory integrity through crafted web content, with confidentiality impact rated High per the CVSS vector. The flaw stems from a buffer-handling defect (CWE-119) reported by Mozilla itself and addressed across multiple security advisories (MFSA2026-57, -58, -60, -61). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Denial of service in Mozilla Firefox prior to version 152 and Firefox ESR prior to 140.12 stems from a memory safety bug (CWE-119) that remote attackers can trigger via crafted web content. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, consistent with a browser crash rather than reliable code execution. No public exploit identified at time of analysis, and Mozilla has shipped fixes across multiple advisories (MFSA2026-57, -58, -60, -61).
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Out-of-bounds read in Firefox's WebGPU graphics component exposes browser memory contents to remote attackers who can lure a user to a malicious webpage. All Firefox versions prior to 152 are affected, with the vulnerability stemming from incorrect boundary conditions during GPU-accelerated rendering operations. No public exploit or active exploitation has been identified at time of analysis; exploitation requires user interaction, limiting opportunistic mass exploitation despite the zero-authentication requirement on the attacker side.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152.
JIT miscompilation in Mozilla Firefox's DOM Core & HTML component enables memory corruption and limited information disclosure when a user visits a malicious web page. Affecting Firefox prior to 152, Firefox ESR 140.x prior to 140.12, and Firefox ESR 115.x prior to 115.37, the root cause is a type confusion (CWE-843) in the Just-In-Time compiler that mishandles type information during DOM object operations. No public exploit has been identified and CISA's SSVC rates exploitation as none with partial technical impact; vendor patches are confirmed across all three release channels.
Out-of-bounds read memory safety bug in Mozilla Firefox allows network-based attackers to cause limited confidentiality and integrity impact by luring users to visit crafted web content. All Firefox versions prior to 152 and Firefox ESR versions prior to 140.12 are affected, per Mozilla security advisories mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis, and CISA SSVC assessment confirms no known active exploitation with only partial technical impact.
Sandbox escape in Mozilla Firefox and Firefox ESR allows a remote attacker to break out of the browser's content sandbox by exploiting incorrect boundary conditions in the Networking component, leading to full compromise of confidentiality, integrity, and availability on the host. Exploitation requires user interaction (e.g., visiting a malicious page), but with CVSS 9.6 and a scope change, successful exploitation crosses the renderer/host trust boundary. No public exploit identified at time of analysis, and EPSS is low (0.16%), consistent with the SSVC 'Exploitation: none' signal.
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Sandbox escape in Mozilla Firefox's DOM Workers component allows remote attackers to break out of the browser's content process sandbox when a user visits a malicious web page. The flaw affects Firefox prior to 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, with no public exploit identified at time of analysis despite a critical 9.6 CVSS score. EPSS exploitation probability is low at 0.16% and CISA SSVC marks exploitation as 'none', suggesting no in-the-wild abuse has been observed yet.
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory corruption via use-after-free in the Networking: HTTP component of Mozilla Firefox enables remote attackers to potentially execute arbitrary code or trigger crashes when a user visits a malicious page. The flaw affects Firefox prior to version 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. With an EPSS of 0.16% (5th percentile) and no public exploit identified at time of analysis, opportunistic mass exploitation appears unlikely despite the high severity rating.
Memory corruption in Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity via a crafted web page that triggers a buffer-related memory safety flaw. The issue also affects Firefox ESR before 140.12 and 115.37 and requires user interaction (e.g., visiting a malicious site). No public exploit identified at time of analysis and EPSS is low (0.16%), but SSVC rates technical impact as total.
Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileges within the browser sandbox when a victim loads malicious web content. Mozilla has patched the issue in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, and no public exploit has been identified at time of analysis.
Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.
SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.
Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.
Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
JIT miscompilation in Firefox's JavaScript engine exposes users to a denial-of-service condition when visiting attacker-controlled web content. The vulnerability stems from a type confusion flaw (CWE-843) in the JIT compiler component, where incorrect type assumptions during optimization can corrupt memory state and crash the browser. No active exploitation has been confirmed (no CISA KEV listing), EPSS stands at 0.02% (5th percentile), and vendor-released patch Firefox 151.0.3 is available per Mozilla advisory mfsa2026-54.
Information disclosure in Mozilla Firefox prior to 151.0.3 allows remote attackers to read out-of-bounds memory via the Graphics: Text component when processing crafted content. The flaw stems from incorrect boundary conditions (CWE-119) in text rendering and can be triggered without user authentication, though no public exploit has been identified and EPSS scores it at just 0.02% likelihood of exploitation.
Cross-site scripting via sanitizer bypass affects DOMPurify 3.4.4, the widely used npm HTML sanitization library maintained by cure53. The flaw stems from `<selectedcontent>` being permitted by default, allowing attackers to leverage browser re-cloning behavior so that an XSS payload is reinjected into a subtree DOMPurify has already walked. No public exploit identified at time of analysis in the form of in-the-wild attacks, but a fully working PoC is published in the GHSA advisory and active exploitation status is not listed in CISA KEV.
Cross-site scripting in Firefox for iOS Reader View allows unauthenticated remote attackers to inject arbitrary markup via maliciously crafted JSON-LD metadata on attacker-controlled pages. When a victim activates Reader View on such a page, injected HTML executes in the context of an internal Firefox origin, leaking sensitive URL parameters that can be leveraged to access internal pages and achieve arbitrary JavaScript execution with elevated browser-origin trust. Mozilla patched this in Firefox for iOS 151.2 per MFSA2026-53; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Reader View in Firefox for iOS executes arbitrary JavaScript due to an incorrect template substitution order, enabling cross-site scripting via JSON-LD data injection. The flaw affects all Firefox for iOS versions prior to 151.2 running on Apple iOS devices; unauthenticated remote attackers can exploit this by luring users to a malicious page and having them activate Reader View, after which attacker-controlled placeholder strings embedded in the page's structured data are processed as executable script. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and no-auth-required access vector (per CVSS PR:N) make it feasible for opportunistic campaigns targeting iOS Firefox users.
Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left Unicode characters and internationalized domain names (IDNs) in the link preview UI surface, enabling a spoofing/phishing attack against users on any iOS version prior to 151.1. The CVSS vector (PR:N/UI:R) indicates unauthenticated network-reachable exploitation contingent on user interaction with a crafted link. EPSS at the 5th percentile and SSVC exploitation status of 'none' confirm no active exploitation or public exploit code has been identified at time of analysis, positioning this as a targeted phishing risk rather than a broad automated threat.
Firefox for iOS Reader mode exposed an unauthenticated local HTTP server on the device, enabling a co-installed malicious application to request arbitrary URLs through that server and receive responses rendered with the authenticated user's session cookies. Affected versions are all Firefox for iOS releases prior to 151.0, confirmed by Mozilla Security Advisory MFSA2026-49. No public exploit code has been identified and CISA SSVC rates exploitation as none at time of analysis, but successful exploitation would allow silent exfiltration of authenticated web content from the victim's active browsing session.
Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating.
Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11.
Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable.
Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information disclosure in Mozilla Firefox's WebGPU graphics component allows remote attackers to access sensitive in-memory data from browser sessions via crafted web content rendered through the WebGPU API. The flaw affects Firefox versions prior to 151 and has been addressed by Mozilla in advisories MFSA2026-46 and MFSA2026-50. There is no public exploit identified at time of analysis, and EPSS scoring (0.02%, 4th percentile) indicates very low likelihood of near-term mass exploitation.
Information disclosure in Mozilla Firefox versions prior to 151 affects the IP Protection component, allowing remote unauthenticated attackers to obtain sensitive information over the network without user interaction. The flaw carries a CVSS score of 7.5 driven entirely by confidentiality impact (C:H/I:N/A:N), and while no public exploit is identified at time of analysis, the very low EPSS score of 0.02% (4th percentile) suggests minimal active exploitation interest. Mozilla addressed the issue in Firefox 151 via security advisories MFSA2026-46 and MFSA2026-50.
Information disclosure in Mozilla Firefox prior to version 151 allows remote attackers to leak sensitive data through a flaw in the DOM: Security component, exploitable without authentication or user interaction. The CVSS 7.5 rating reflects high confidentiality impact via network vector, though EPSS scoring at 0.02% (4th percentile) indicates very low predicted exploitation probability and no public exploit identified at time of analysis.
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.
Memory exhaustion and denial-of-service across HTTP/2 server implementations allow remote unauthenticated attackers to crash or severely degrade affected services by intentionally stalling flow control using standard HTTP/2 protocol frames. Researched and reported by the Okta Red Team and coordinated through CERT/CC as VU#885548, this class of vulnerability is tracked across three CVEs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) affecting multiple vendor implementations including F5 BIG-IP. By advertising SETTINGS_INITIAL_WINDOW_SIZE=0 and withholding WINDOW_UPDATE frames across many simultaneous streams, an attacker forces vulnerable servers to buffer unbounded response data in memory with no ability to transmit it, leading to OOM kills, swap exhaustion, or connection and worker resource starvation. No public exploit code has been identified and no CISA KEV listing is present at time of analysis.
Memory exhaustion denial-of-service affects HTTP/2 server implementations that fail to cap buffered response data under stalled flow-control conditions. A remote unauthenticated attacker opens many simultaneous HTTP/2 streams while advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 or withholding WINDOW_UPDATE frames, forcing the server to accumulate unbounded in-memory response buffers it cannot transmit. Under permissive resource limits this can trigger OOM kills, swap exhaustion, and full system unresponsiveness; under tighter limits, connection and worker pool exhaustion degrades availability for legitimate clients. Reported 2026-07-16 by Okta Red Team and coordinated as CERT VU#885548 covering at least three CVE IDs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) across multiple vendor implementations. No public exploit code identified at time of analysis, and CISA KEV listing not confirmed.
Drive-by local filesystem exfiltration in FiftyOne versions below 1.17.0 allows any malicious website to silently read arbitrary files from a victim's machine. The FiftyOne App server unconditionally returns Access-Control-Allow-Origin: * on all responses, and the unauthenticated /media endpoint serves local filesystem files by path - together these let JavaScript on any visited webpage fetch files such as SSH keys, cloud credentials, or .env files from localhost:5151 and relay them to an attacker-controlled server. No public exploit (KEV or confirmed POC) is identified at time of analysis, but the attack requires no special tooling and is trivially reproducible in Safari and Firefox, which lack Private Network Access protections.
Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. When combined with long-domain URL eliding, this allows precise origin spoofing; no public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.3 reflects high subsequent-system integrity and confidentiality impacts despite the attack requiring user interaction.
Firefox versions prior to 152.0.6 are exposed to a network-exploitable flaw requiring user interaction that yields limited confidentiality and integrity impact within the browser context. Publicly available exploit code exists, confirmed by Mozilla's own advisory language, though the vendor reports no known attacks in the wild at time of disclosure. The fix is confirmed in Firefox 152.0.6, referenced in Mozilla security advisory MFSA2026-67.
Information disclosure in Mozilla Firefox via CWE-763 (Release of Invalid Pointer or Reference) allows network-based attackers to read limited memory contents from affected browser instances. All Firefox versions prior to 152.0.6 are affected. Publicly available exploit code exists, though Mozilla reports no confirmed attacks in the wild; user interaction is required to trigger the flaw, moderately reducing real-world exposure.
PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.
Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path `//attacker.com` to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. A proof-of-concept is publicly documented in the security advisory; no active exploitation has been confirmed by CISA KEV at time of analysis.
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. A vendor-released patch exists in version 1.21.5b; no public exploit has been identified at time of analysis.
Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical).
Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.
Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.
TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform man-in-the-middle attacks on HTTPS traffic routed through SOCKS5 proxies. The ProxyAgent silently drops the requestTls option (including ca, cert, key, rejectUnauthorized, and servername) when the proxy URI uses socks5:// or socks://, causing connections to fall back to Node.js's default Mozilla CA bundle instead of the application-configured trust anchor. No public exploit identified at time of analysis, but the CWE-295 improper certificate validation flaw directly defeats corporate CA pinning controls.
Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2 when started with `--rc-serve` and without HTTP authentication. A single GET or HEAD request to `/[remote:path]/object` triggers backend initialization with attacker-controlled inline remote options, executing commands as the rclone process user. No public exploit identified at time of analysis, though the GHSA advisory describes the technique in detail and notes the issue bypasses the earlier CVE-2026-41179 fix.
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.
Cookie leakage in Firefox for iOS prior to 152.0 allows an attacker-controlled suffix domain to intercept cookies intended for a target site during PDF request handling. The browser's PDF loading code path applied partial rather than exact-origin domain matching when deciding which cookies to attach, meaning a domain such as 'evilbank.com' could satisfy a suffix match against 'bank.com' and receive that site's cookies. No active exploitation is confirmed, but the SSVC framework rates this as automatable with partial technical impact, making it a credible session-hijacking vector for users on unpatched versions.
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12 and Firefox ESR 115.37.
Memory safety bug fixed in Firefox ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12.
Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.
Uncontrolled resource consumption in Mozilla Firefox's Graphics: ImageLib component allows remote attackers to crash or hang the browser by serving specially crafted image content to an unsuspecting user. All Firefox release-channel versions prior to 152 and both ESR tracks (prior to 140.12 and 115.37) are affected, exposing a broad install base across consumer and enterprise environments. No public exploit has been identified, SSVC rates exploitation as none with a non-automatable attack path, and KEV listing is absent - signals that collectively place this vulnerability at lower real-world priority despite a CVSS 6.5 score.
Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. Reported by Mozilla with low complexity and no authentication required (CVSS 7.3).
Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152.
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152.
Denial-of-service in Mozilla Firefox's Audio/Video Playback component allows a remote attacker to crash or render the browser unresponsive by delivering crafted media content to a victim. All Firefox releases prior to version 152 are affected per CPE coverage. No public exploit has been identified at time of analysis, and SSVC rates exploitation as none with partial technical impact, placing this in the moderate-priority tier rather than an emergency response category.
Memory corruption in the NSS (Network Security Services) Libraries component shipped with Mozilla Firefox allows remote attackers to trigger out-of-bounds memory access via incorrect boundary condition handling, with low impact across confidentiality, integrity, and availability. Mozilla addressed the issue in Firefox 152, with associated advisories MFSA2026-57 and MFSA2026-60. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Memory corruption in Mozilla Firefox versions prior to 152 allows remote unauthenticated attackers to crash the browser by serving crafted web content, resulting in denial of service. The CVSS 3.1 base score of 7.5 reflects high availability impact without confidentiality or integrity loss, and no public exploit identified at time of analysis. Mozilla disclosed the issue via advisories MFSA2026-57 and MFSA2026-60 with a fix shipped in Firefox 152.
Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity of browser-rendered content without user interaction. The flaw carries a critical CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged as an Authentication Bypass class issue, though no public exploit identified at time of analysis. The vulnerability has been patched by Mozilla in Firefox 152 per MFSA2026-57/MFSA2026-60.
Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. Given the CVSS 9.1 rating and network-reachable attack vector, any user browsing a malicious page is potentially exposed.
Memory corruption in Mozilla Firefox prior to version 152 and Firefox ESR prior to 140.12 allows remote attackers to compromise browser memory integrity through crafted web content, with confidentiality impact rated High per the CVSS vector. The flaw stems from a buffer-handling defect (CWE-119) reported by Mozilla itself and addressed across multiple security advisories (MFSA2026-57, -58, -60, -61). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Denial of service in Mozilla Firefox prior to version 152 and Firefox ESR prior to 140.12 stems from a memory safety bug (CWE-119) that remote attackers can trigger via crafted web content. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, consistent with a browser crash rather than reliable code execution. No public exploit identified at time of analysis, and Mozilla has shipped fixes across multiple advisories (MFSA2026-57, -58, -60, -61).
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Out-of-bounds read in Firefox's WebGPU graphics component exposes browser memory contents to remote attackers who can lure a user to a malicious webpage. All Firefox versions prior to 152 are affected, with the vulnerability stemming from incorrect boundary conditions during GPU-accelerated rendering operations. No public exploit or active exploitation has been identified at time of analysis; exploitation requires user interaction, limiting opportunistic mass exploitation despite the zero-authentication requirement on the attacker side.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152.
JIT miscompilation in Mozilla Firefox's DOM Core & HTML component enables memory corruption and limited information disclosure when a user visits a malicious web page. Affecting Firefox prior to 152, Firefox ESR 140.x prior to 140.12, and Firefox ESR 115.x prior to 115.37, the root cause is a type confusion (CWE-843) in the Just-In-Time compiler that mishandles type information during DOM object operations. No public exploit has been identified and CISA's SSVC rates exploitation as none with partial technical impact; vendor patches are confirmed across all three release channels.
Out-of-bounds read memory safety bug in Mozilla Firefox allows network-based attackers to cause limited confidentiality and integrity impact by luring users to visit crafted web content. All Firefox versions prior to 152 and Firefox ESR versions prior to 140.12 are affected, per Mozilla security advisories mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis, and CISA SSVC assessment confirms no known active exploitation with only partial technical impact.
Sandbox escape in Mozilla Firefox and Firefox ESR allows a remote attacker to break out of the browser's content sandbox by exploiting incorrect boundary conditions in the Networking component, leading to full compromise of confidentiality, integrity, and availability on the host. Exploitation requires user interaction (e.g., visiting a malicious page), but with CVSS 9.6 and a scope change, successful exploitation crosses the renderer/host trust boundary. No public exploit identified at time of analysis, and EPSS is low (0.16%), consistent with the SSVC 'Exploitation: none' signal.
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Sandbox escape in Mozilla Firefox's DOM Workers component allows remote attackers to break out of the browser's content process sandbox when a user visits a malicious web page. The flaw affects Firefox prior to 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, with no public exploit identified at time of analysis despite a critical 9.6 CVSS score. EPSS exploitation probability is low at 0.16% and CISA SSVC marks exploitation as 'none', suggesting no in-the-wild abuse has been observed yet.
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory corruption via use-after-free in the Networking: HTTP component of Mozilla Firefox enables remote attackers to potentially execute arbitrary code or trigger crashes when a user visits a malicious page. The flaw affects Firefox prior to version 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. With an EPSS of 0.16% (5th percentile) and no public exploit identified at time of analysis, opportunistic mass exploitation appears unlikely despite the high severity rating.
Memory corruption in Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity via a crafted web page that triggers a buffer-related memory safety flaw. The issue also affects Firefox ESR before 140.12 and 115.37 and requires user interaction (e.g., visiting a malicious site). No public exploit identified at time of analysis and EPSS is low (0.16%), but SSVC rates technical impact as total.
Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileges within the browser sandbox when a victim loads malicious web content. Mozilla has patched the issue in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, and no public exploit has been identified at time of analysis.
Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.
SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.
Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.
Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
JIT miscompilation in Firefox's JavaScript engine exposes users to a denial-of-service condition when visiting attacker-controlled web content. The vulnerability stems from a type confusion flaw (CWE-843) in the JIT compiler component, where incorrect type assumptions during optimization can corrupt memory state and crash the browser. No active exploitation has been confirmed (no CISA KEV listing), EPSS stands at 0.02% (5th percentile), and vendor-released patch Firefox 151.0.3 is available per Mozilla advisory mfsa2026-54.
Information disclosure in Mozilla Firefox prior to 151.0.3 allows remote attackers to read out-of-bounds memory via the Graphics: Text component when processing crafted content. The flaw stems from incorrect boundary conditions (CWE-119) in text rendering and can be triggered without user authentication, though no public exploit has been identified and EPSS scores it at just 0.02% likelihood of exploitation.
Cross-site scripting via sanitizer bypass affects DOMPurify 3.4.4, the widely used npm HTML sanitization library maintained by cure53. The flaw stems from `<selectedcontent>` being permitted by default, allowing attackers to leverage browser re-cloning behavior so that an XSS payload is reinjected into a subtree DOMPurify has already walked. No public exploit identified at time of analysis in the form of in-the-wild attacks, but a fully working PoC is published in the GHSA advisory and active exploitation status is not listed in CISA KEV.
Cross-site scripting in Firefox for iOS Reader View allows unauthenticated remote attackers to inject arbitrary markup via maliciously crafted JSON-LD metadata on attacker-controlled pages. When a victim activates Reader View on such a page, injected HTML executes in the context of an internal Firefox origin, leaking sensitive URL parameters that can be leveraged to access internal pages and achieve arbitrary JavaScript execution with elevated browser-origin trust. Mozilla patched this in Firefox for iOS 151.2 per MFSA2026-53; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Reader View in Firefox for iOS executes arbitrary JavaScript due to an incorrect template substitution order, enabling cross-site scripting via JSON-LD data injection. The flaw affects all Firefox for iOS versions prior to 151.2 running on Apple iOS devices; unauthenticated remote attackers can exploit this by luring users to a malicious page and having them activate Reader View, after which attacker-controlled placeholder strings embedded in the page's structured data are processed as executable script. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and no-auth-required access vector (per CVSS PR:N) make it feasible for opportunistic campaigns targeting iOS Firefox users.
Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left Unicode characters and internationalized domain names (IDNs) in the link preview UI surface, enabling a spoofing/phishing attack against users on any iOS version prior to 151.1. The CVSS vector (PR:N/UI:R) indicates unauthenticated network-reachable exploitation contingent on user interaction with a crafted link. EPSS at the 5th percentile and SSVC exploitation status of 'none' confirm no active exploitation or public exploit code has been identified at time of analysis, positioning this as a targeted phishing risk rather than a broad automated threat.
Firefox for iOS Reader mode exposed an unauthenticated local HTTP server on the device, enabling a co-installed malicious application to request arbitrary URLs through that server and receive responses rendered with the authenticated user's session cookies. Affected versions are all Firefox for iOS releases prior to 151.0, confirmed by Mozilla Security Advisory MFSA2026-49. No public exploit code has been identified and CISA SSVC rates exploitation as none at time of analysis, but successful exploitation would allow silent exfiltration of authenticated web content from the victim's active browsing session.
Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating.
Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11.
Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable.
Privilege escalation in Mozilla Firefox's WebRTC Audio/Video component allows remote attackers to elevate privileges within the browser context when a user is lured into interacting with a malicious page. The flaw carries a CVSS 8.8 with required user interaction and was addressed in Firefox 151; no public exploit identified at time of analysis and EPSS exploitation probability sits at 0.03% (8th percentile).
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Privilege escalation in Mozilla Firefox's Security component allows remote attackers to elevate privileges within the browser when a victim interacts with attacker-controlled content, affecting Firefox versions prior to 151 and Firefox ESR prior to 140.11. With CVSS 8.8 (high) and user interaction required, exploitation is plausible via malicious web content, though EPSS sits at just 0.04% (12th percentile) and no public exploit identified at time of analysis. SSVC rates exploitation as 'none' but flags the issue as automatable with partial technical impact, suggesting concerning scalability if a working exploit emerges.
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151.
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Information disclosure in Mozilla Firefox's WebGPU graphics component allows remote attackers to access sensitive in-memory data from browser sessions via crafted web content rendered through the WebGPU API. The flaw affects Firefox versions prior to 151 and has been addressed by Mozilla in advisories MFSA2026-46 and MFSA2026-50. There is no public exploit identified at time of analysis, and EPSS scoring (0.02%, 4th percentile) indicates very low likelihood of near-term mass exploitation.
Information disclosure in Mozilla Firefox versions prior to 151 affects the IP Protection component, allowing remote unauthenticated attackers to obtain sensitive information over the network without user interaction. The flaw carries a CVSS score of 7.5 driven entirely by confidentiality impact (C:H/I:N/A:N), and while no public exploit is identified at time of analysis, the very low EPSS score of 0.02% (4th percentile) suggests minimal active exploitation interest. Mozilla addressed the issue in Firefox 151 via security advisories MFSA2026-46 and MFSA2026-50.
Information disclosure in Mozilla Firefox prior to version 151 allows remote attackers to leak sensitive data through a flaw in the DOM: Security component, exploitable without authentication or user interaction. The CVSS 7.5 rating reflects high confidentiality impact via network vector, though EPSS scoring at 0.02% (4th percentile) indicates very low predicted exploitation probability and no public exploit identified at time of analysis.
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151.