59
CVEs
26
Critical
30
High
0
KEV
1
PoC
7
Unpatched C/H
86.4%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
26
HIGH
30
MEDIUM
3
LOW
0
Monthly CVE Trend
Affected Products (30)
Firefox
214
Thunderbird
145
Memory Corruption
37
Use After Free
21
Android
14
iOS
14
Windows
10
Open Redirect
9
Ubuntu
7
Integer Overflow
7
Race Condition
4
macOS
3
Chrome
3
Command Injection
3
Cors Misconfiguration
3
Node.js
2
Prototype Pollution
2
Python
2
Safari
2
Firefox Focus
1
Anything Llm
1
Enterprise Linux Eus
1
Seamonkey
1
Docker
1
Enterprise Linux Server Tus
1
Vpn
1
Enterprise Linux Workstation
1
Enterprise Linux Desktop
1
Heap Overflow
1
Enterprise Linux Server Aus
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-4688 | Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-4725 | Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-4692 | A sandbox escape vulnerability exists in Firefox's Responsive Design Mode component that allows attackers to break out of the browser's security sandbox and access sensitive information. This affects Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9. An attacker can exploit this vulnerability to disclose information by circumventing the sandbox restrictions that normally isolate web content from the browser's privileged context. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-4689 | A sandbox escape vulnerability exists in Firefox's XPCOM component due to incorrect boundary conditions and integer overflow, allowing attackers to bypass security sandboxing mechanisms. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw to escape the browser sandbox and potentially execute arbitrary code with elevated privileges on the affected system. | CRITICAL | 10.0 | 0.0% | 50 |
PoC
|
| CVE-2026-4691 | Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4696 | Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4698 | A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4717 | Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4700 | This vulnerability is a mitigation bypass in Firefox's HTTP networking component that allows attackers to circumvent existing security controls. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected, enabling attackers to bypass authentication or other HTTP-level protections. While specific CVSS and EPSS scores are not provided, the mitigation bypass classification and Mozilla's issuance of security advisories indicate this requires prompt patching. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4701 | Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4702 | A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4711 | A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4705 | An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4723 | Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2026-4721 | Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented. | CRITICAL | 9.8 | 0.0% | 49 |
|