Skip to main content

Mozilla

Vendor security scorecard – 62 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 198
62
CVEs
11
Critical
18
High
0
KEV
2
PoC
2
Unpatched C/H
82.3%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
11
HIGH
18
MEDIUM
32
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-49980 Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2 when started with `--rc-serve` and without HTTP authentication. A single GET or HEAD request to `/[remote:path]/object` triggers backend initialization with attacker-controlled inline remote options, executing commands as the rclone process user. No public exploit identified at time of analysis, though the GHSA advisory describes the technique in detail and notes the issue bypasses the earlier CVE-2026-41179 fix. CRITICAL 9.8 0.5% 49
CVE-2026-12293 Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152. CRITICAL 9.8 0.1% 49
CVE-2026-14241 Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4. CRITICAL 9.8 0.1% 49
No patch
CVE-2026-12294 Sandbox escape in Mozilla Firefox's DOM Workers component allows remote attackers to break out of the browser's content process sandbox when a user visits a malicious web page. The flaw affects Firefox prior to 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, with no public exploit identified at time of analysis despite a critical 9.6 CVSS score. EPSS exploitation probability is low at 0.16% and CISA SSVC marks exploitation as 'none', suggesting no in-the-wild abuse has been observed yet. CRITICAL 9.6 0.2% 48
CVE-2026-12295 Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. CRITICAL 9.6 0.2% 48
CVE-2026-12297 Sandbox escape in Mozilla Firefox and Firefox ESR allows a remote attacker to break out of the browser's content sandbox by exploiting incorrect boundary conditions in the Networking component, leading to full compromise of confidentiality, integrity, and availability on the host. Exploitation requires user interaction (e.g., visiting a malicious page), but with CVSS 9.6 and a scope change, successful exploitation crosses the renderer/host trust boundary. No public exploit identified at time of analysis, and EPSS is low (0.16%), consistent with the SSVC 'Exploitation: none' signal. CRITICAL 9.6 0.2% 48
CVE-2026-12296 Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. CRITICAL 9.6 0.2% 48
CVE-2026-53649 Unauthenticated remote code execution in Joro ≤ v1.1.0 (BishopFox's offensive-security tooling) allows an attacker to gain a shell as the operator's user when that operator merely visits a malicious web page. In the default proxy mode, Joro exposes an unauthenticated local API on 127.0.0.1:9090 with a wildcard CORS policy; because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript can upload a native Go plugin and trigger a restart through the operator's browser with no preflight or credentials, and the plugin's init() executes on load. No public exploit is identified at time of analysis, but the advisory documents a complete, reproducible attack chain, and the assigned CVSS is 9.6 (Critical). CRITICAL 9.6 – 48
CVE-2026-12304 Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. CRITICAL 9.1 0.2% 46
CVE-2026-12315 Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. Given the CVSS 9.1 rating and network-reachable attack vector, any user browsing a malicious page is potentially exposed. CRITICAL 9.1 0.3% 46
CVE-2026-12316 Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity of browser-rendered content without user interaction. The flaw carries a critical CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged as an Authentication Bypass class issue, though no public exploit identified at time of analysis. The vulnerability has been patched by Mozilla in Firefox 152 per MFSA2026-57/MFSA2026-60. CRITICAL 9.1 0.3% 46
CVE-2026-12289 Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileges within the browser sandbox when a victim loads malicious web content. Mozilla has patched the issue in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, and no public exploit has been identified at time of analysis. HIGH 8.8 0.3% 44
CVE-2026-12291 Memory corruption via use-after-free in the Networking: HTTP component of Mozilla Firefox enables remote attackers to potentially execute arbitrary code or trigger crashes when a user visits a malicious page. The flaw affects Firefox prior to version 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. With an EPSS of 0.16% (5th percentile) and no public exploit identified at time of analysis, opportunistic mass exploitation appears unlikely despite the high severity rating. HIGH 8.8 0.2% 44
CVE-2026-49825 Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV. HIGH 8.2 &ndash; 41
CVE-2026-12328 Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching. HIGH 8.1 0.3% 41

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy