Skip to main content

Mozilla

2675 CVEs vendor

Monthly

CVE-2025-4091 HIGH PATCH This Week

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-4090 MEDIUM PATCH This Month

A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-4089 MEDIUM PATCH This Month

Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Mozilla
NVD
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-4088 MEDIUM PATCH This Month

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mozilla
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-4087 MEDIUM PATCH This Month

A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Buffer Overflow Mozilla
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2025-4086 MEDIUM PATCH This Month

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-4085 HIGH PATCH This Week

An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-4084 MEDIUM PATCH This Month

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft RCE Mozilla
NVD
CVSS 3.1
5.7
EPSS
0.3%
CVE-2025-4083 CRITICAL PATCH Act Now

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-4082 MEDIUM PATCH This Month

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Buffer Overflow Mozilla Apple
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2025-2817 HIGH PATCH This Week

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Path Traversal Mozilla
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-3523 MEDIUM PATCH This Month

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-3522 MEDIUM PATCH This Month

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Open Redirect Google Mozilla Chrome
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-2830 MEDIUM PATCH This Month

By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Mozilla
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-3608 MEDIUM PATCH This Month

A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-3035 MEDIUM PATCH This Month

By first using the AI chatbot in one tab and later activating it in another tab, the document title of the previous tab would leak into the chat prompt. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-3034 HIGH PATCH This Week

Memory safety bugs present in Firefox 136 and Thunderbird 136. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Memory Corruption Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-3033 HIGH PATCH This Week

After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-3032 HIGH PATCH This Week

Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Privilege Escalation Mozilla
NVD VulDB
CVSS 3.1
7.4
EPSS
0.2%
CVE-2025-3031 MEDIUM PATCH This Month

An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-3030 HIGH PATCH This Week

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Mozilla Buffer Overflow RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-3029 HIGH PATCH This Week

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD VulDB
CVSS 3.1
7.3
EPSS
0.7%
CVE-2025-3028 MEDIUM POC PATCH This Month

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.7%
CVE-2025-2857 CRITICAL PATCH Act Now

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Google Information Disclosure Mozilla Chrome
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-26696 HIGH PATCH This Week

Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. [CVSS 7.0 HIGH]

Mozilla Authentication Bypass
NVD VulDB
CVSS 3.1
7.0
EPSS
0.2%
CVE-2025-26695 MEDIUM PATCH This Month

When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. [CVSS 5.3 MEDIUM]

Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-27426 MEDIUM This Month

Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Open Redirect Mozilla
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-27425 MEDIUM This Month

Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Authentication Bypass Mozilla
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-27424 MEDIUM This Month

Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Open Redirect Mozilla
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-1943 HIGH PATCH This Week

Memory safety bugs present in Firefox 135 and Thunderbird 135. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2025-1942 CRITICAL PATCH Act Now

When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird <. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-1941 CRITICAL PATCH Act Now

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-1940 HIGH PATCH This Week

A select option could partially obscure the confirmation prompt shown before launching external apps. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-1939 LOW Monitor

Android apps can load web pages using the Custom Tabs feature. Rated low severity (CVSS 3.9), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
3.9
EPSS
0.0%
CVE-2025-1938 MEDIUM PATCH This Month

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-1937 HIGH POC PATCH This Week

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-1936 HIGH PATCH This Week

jar: URLs retrieve local file content packaged in a ZIP archive. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
7.3
EPSS
0.5%
CVE-2025-1935 MEDIUM PATCH This Month

A web page could trick a user into setting that site as the default handler for a custom URL protocol. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-1934 MEDIUM PATCH This Month

It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-1933 HIGH PATCH This Week

On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
7.6
EPSS
0.4%
CVE-2025-1932 HIGH PATCH This Week

An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow Mozilla
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-1931 HIGH PATCH This Week

It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Mozilla Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-1930 HIGH PATCH This Week

On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Information Disclosure Mozilla Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-1414 MEDIUM PATCH This Month

Memory safety bugs present in Firefox 135. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-0665 HIGH POC PATCH This Week

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, causing the same eventfd file descriptor to be closed twice. This affects curl version 8.11.1 and various NetApp products that bundle libcurl, potentially leading to file descriptor confusion, limited information disclosure, and high availability impact. A public proof-of-concept exploit is available (HackerOne report 2954286), and the vulnerability has a notably high EPSS score of 6.37% (91st percentile), indicating elevated real-world exploitation likelihood.

Mozilla Denial Of Service Use After Free Bootstrap Os H410c Firmware +8
NVD VulDB
CVSS 3.1
7.0
EPSS
6.4%
CVE-2025-1020 CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 134 and Thunderbird 134. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-1019 MEDIUM PATCH This Month

The z-order of the browser windows could be manipulated to hide the fullscreen notification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XSS Mozilla
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-1018 MEDIUM PATCH This Month

The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-1017 CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-1016 CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE Mozilla
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-1015 MEDIUM PATCH This Month

The Thunderbird Address Book URI fields contained unsanitized links. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 25.2% and no vendor patch available.

XSS Mozilla
NVD VulDB
CVSS 3.1
5.4
EPSS
25.2%
CVE-2025-1014 HIGH PATCH This Week

Certificate length was not properly checked when added to a certificate store. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1013 MEDIUM PATCH This Month

A race condition could have led to private browsing tabs being opened in normal browsing windows. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Race Condition Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-1012 HIGH PATCH This Week

A race during concurrent delazification could have led to a use-after-free. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-1011 HIGH PATCH This Week

A bug in WebAssembly code generation could have lead to a crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mozilla
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1010 HIGH PATCH This Week

An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Mozilla Denial Of Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-1009 CRITICAL PATCH Act Now

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Mozilla Denial Of Service
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-0510 MEDIUM PATCH This Month

Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-23720 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Web Push allows Stored XSS.4.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mozilla XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-23109 MEDIUM This Month

Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apple Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.7%
CVE-2025-23108 MEDIUM This Month

Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Mozilla XSS
NVD VulDB
CVSS 3.1
4.3
EPSS
0.8%
CVE-2025-0247 CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 133 and Thunderbird 133. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.1% and no vendor patch available.

RCE Memory Corruption Buffer Overflow Mozilla
NVD VulDB
CVSS 3.1
9.8
EPSS
15.1%
CVE-2025-0246 MEDIUM PATCH This Month

When using an invalid protocol scheme, an attacker could spoof the address bar. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-0245 LOW Monitor

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-0244 MEDIUM PATCH This Month

When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Mozilla Google
NVD VulDB
CVSS 3.1
5.3
EPSS
7.5%
CVE-2025-0243 MEDIUM PATCH This Month

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Memory Corruption Buffer Overflow Mozilla
NVD VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-0242 MEDIUM PATCH This Month

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Memory Corruption Buffer Overflow Mozilla
NVD VulDB
CVSS 3.1
6.5
EPSS
2.9%
CVE-2025-0241 HIGH PATCH This Week

When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Denial Of Service
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-0240 MEDIUM PATCH This Month

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Memory Corruption Use After Free Mozilla
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-0239 MEDIUM PATCH This Month

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-0238 MEDIUM PATCH This Month

Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Use After Free Mozilla Denial Of Service
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-0237 MEDIUM PATCH This Month

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Mozilla
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-12346 MEDIUM This Month

A vulnerability has been found in Talentera up to 20241128 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mozilla
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2024-53976 MEDIUM This Month

Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla Firefox
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-53975 MEDIUM This Month

Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the location URL bar to, misleadingly, appear secure. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla Firefox
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-11708 MEDIUM This Month

Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-11706 MEDIUM This Month

A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-11705 CRITICAL Act Now

`NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-11704 CRITICAL Act Now

A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-11703 MEDIUM This Month

On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox
NVD
CVSS 3.1
5.7
EPSS
0.2%
CVE-2024-11702 HIGH This Week

Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla Firefox Thunderbird
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-11701 MEDIUM This Month

The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-11700 HIGH This Week

Malicious websites may have been able to perform user intent confirmation through tapjacking. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox Thunderbird
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-11698 CRITICAL Act Now

A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-50266 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs A recent change in the venus driver results in a stuck clock on the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Linux Information Disclosure Lenovo Mozilla Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-52300 CRITICAL Act Now

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mozilla Pdf Viewer Macro
NVD GitHub
CVSS 3.1
9.0
EPSS
0.4%
CVE-2024-52299 HIGH This Week

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Pdf Viewer Macro
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-52298 HIGH POC This Week

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Pdf Viewer Macro
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-11159 MEDIUM This Month

Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-10941 MEDIUM This Month

A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
CVSS 3.1
6.5
EPSS
0.4%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow RCE Mozilla
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Mozilla
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mozilla
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Buffer Overflow Mozilla
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Mozilla
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft RCE Mozilla
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Buffer Overflow Mozilla +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Path Traversal Mozilla
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Open Redirect Google +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Mozilla
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Race Condition Mozilla
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

By first using the AI chatbot in one tab and later activating it in another tab, the document title of the previous tab would leak into the chat prompt. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory safety bugs present in Firefox 136 and Thunderbird 136. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Privilege Escalation Mozilla
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Mozilla +2
NVD VulDB
EPSS 1% CVSS 7.3
HIGH PATCH This Week

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Google Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. [CVSS 7.0 HIGH]

Mozilla Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8. [CVSS 5.3 MEDIUM]

Mozilla Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Open Redirect Mozilla
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first This vulnerability affects Firefox for iOS. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Authentication Bypass Mozilla
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page This vulnerability affects Firefox for iOS < 136. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Open Redirect Mozilla
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Memory safety bugs present in Firefox 135 and Thunderbird 135. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird <. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

A select option could partially obscure the confirmation prompt shown before launching external apps. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google XSS Mozilla
NVD VulDB
EPSS 0% CVSS 3.9
LOW Monitor

Android apps can load web pages using the Custom Tabs feature. Rated low severity (CVSS 3.9), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7, and Thunderbird 128.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Mozilla
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

jar: URLs retrieve local file content packaged in a ZIP archive. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

A web page could trick a user into setting that site as the default handler for a custom URL protocol. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow Mozilla
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Mozilla +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory safety bugs present in Firefox 135. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 6% CVSS 7.0
HIGH POC PATCH This Week

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, causing the same eventfd file descriptor to be closed twice. This affects curl version 8.11.1 and various NetApp products that bundle libcurl, potentially leading to file descriptor confusion, limited information disclosure, and high availability impact. A public proof-of-concept exploit is available (HackerOne report 2954286), and the vulnerability has a notably high EPSS score of 6.37% (91st percentile), indicating elevated real-world exploitation likelihood.

Mozilla Denial Of Service Use After Free +10
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 134 and Thunderbird 134. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The z-order of the browser windows could be manipulated to hide the fullscreen notification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XSS Mozilla
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow RCE +1
NVD VulDB
EPSS 25% CVSS 5.4
MEDIUM PATCH This Month

The Thunderbird Address Book URI fields contained unsanitized links. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 25.2% and no vendor patch available.

XSS Mozilla
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Certificate length was not properly checked when added to a certificate store. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A race condition could have led to private browsing tabs being opened in normal browsing windows. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Race Condition +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A race during concurrent delazification could have led to a use-after-free. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A bug in WebAssembly code generation could have lead to a crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mozilla
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Mozilla +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use After Free Memory Corruption Mozilla +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Web Push allows Stored XSS.4.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mozilla XSS
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apple Mozilla
NVD VulDB
EPSS 1% CVSS 4.3
MEDIUM This Month

Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Mozilla XSS
NVD VulDB
EPSS 15% CVSS 9.8
CRITICAL PATCH Act Now

Memory safety bugs present in Firefox 133 and Thunderbird 133. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.1% and no vendor patch available.

RCE Memory Corruption Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

When using an invalid protocol scheme, an attacker could spoof the address bar. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla
NVD VulDB
EPSS 7% CVSS 5.3
MEDIUM PATCH This Month

When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Mozilla Google
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Memory Corruption Buffer Overflow +1
NVD VulDB
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Memory Corruption Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Denial Of Service
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Memory Corruption Use After Free +1
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Use After Free Mozilla +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Mozilla
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability has been found in Talentera up to 20241128 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mozilla
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Mozilla +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Accessing a non-secure HTTP site that uses a non-existent port may cause the SSL padlock icon in the location URL bar to, misleadingly, appear secure. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Mozilla +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when handling malformed or improperly formatted input files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Mozilla +2
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

`NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Mozilla +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Mozilla Firefox +1
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

On Android, Firefox may have inadvertently allowed viewing saved passwords without the required device PIN authentication. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Copying sensitive information from Private Browsing tabs on Android, such as passwords, may have inadvertently stored data in the cloud-based clipboard history if enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Mozilla +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Mozilla Firefox +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Malicious websites may have been able to perform user intent confirmation through tapjacking. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mozilla Firefox +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Mozilla +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs A recent change in the venus driver results in a stuck clock on the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Linux Information Disclosure Lenovo +2
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mozilla Pdf Viewer Macro
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Pdf Viewer Macro
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mozilla Pdf Viewer Macro
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Thunderbird
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Mozilla Firefox
NVD
Prev Page 6 of 30 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy