Skip to main content

Mozilla

Vendor security scorecard – 176 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 610
176
CVEs
25
Critical
84
High
0
KEV
3
PoC
4
Unpatched C/H
89.8%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
25
HIGH
84
MEDIUM
65
LOW
1

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-49980 Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2 when started with `--rc-serve` and without HTTP authentication. A single GET or HEAD request to `/[remote:path]/object` triggers backend initialization with attacker-controlled inline remote options, executing commands as the rclone process user. No public exploit identified at time of analysis, though the GHSA advisory describes the technique in detail and notes the issue bypasses the earlier CVE-2026-41179 fix. CRITICAL 9.8 0.5% 49
CVE-2026-12293 Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152. CRITICAL 9.8 0.1% 49
CVE-2026-14241 Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4. CRITICAL 9.8 0.1% 49
No patch
CVE-2026-6748 Uninitialized memory access in Firefox's Web Codecs API enables remote code execution without authentication. Attackers can exploit this CWE-457 (Use of Uninitialized Variable) flaw through network-accessible vectors with low complexity (AV:N/AC:L/PR:N/UI:N) to achieve complete system compromise including data exfiltration, arbitrary code execution, and denial of service. CVSS 9.8 severity is supported by SSVC assessment indicating automatable exploitation with total technical impact. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10. CISA SSVC reports no active exploitation at time of analysis, though the vulnerability is classified as automatable with total technical impact. CRITICAL 9.8 0.0% 49
CVE-2026-8956 Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. CRITICAL 9.8 0.0% 49
CVE-2026-6771 DOM security mitigation bypass in Mozilla Firefox allows remote unauthenticated attackers to completely compromise browser security, achieving high confidentiality, integrity, and availability impact. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. The vulnerability bypasses critical browser security controls designed to protect the Document Object Model. SSVC assessment indicates the flaw is automatable with total technical impact, though no active exploitation has been confirmed at time of analysis. CVSS 9.8 critical rating reflects network-based attack with no complexity barriers. CRITICAL 9.8 0.0% 49
CVE-2026-6768 Authentication bypass in Firefox's cookie-handling mechanism allows remote unauthenticated attackers to bypass security controls via network requests, achieving full confidentiality, integrity, and availability compromise. Affects Firefox versions prior to 150. Mozilla has released patches in security advisories MFSA2026-30 and MFSA2026-33. CISA SSVC framework classifies this as fully automatable with total technical impact, though no active exploitation is confirmed at time of analysis. CVSS 9.8 critical severity reflects the network attack vector with no authentication or user interaction required. CRITICAL 9.8 0.0% 49
CVE-2026-8401 Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3. CRITICAL 9.8 0.0% 49
CVE-2026-6760 Authentication bypass in Firefox's cookie handling mechanism allows remote unauthenticated attackers to circumvent security controls and potentially execute arbitrary code or access protected resources. The vulnerability affects Firefox versions prior to 150 and has a critical CVSS score of 9.8 (network-exploitable, no authentication required, low complexity). Despite the severe CVSS rating, EPSS probability indicates only 0.02% likelihood of exploitation (4th percentile), suggesting limited real-world targeting. Mozilla has patched this in Firefox 150 per security advisories MFSA2026-30 and MFSA2026-33. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis. CRITICAL 9.8 0.0% 49
CVE-2026-8091 Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component. CRITICAL 9.8 0.0% 49
CVE-2026-8094 Remote code execution in Firefox ESR's WebRTC component allows unauthenticated network attackers to achieve arbitrary code execution with complete system compromise. The vulnerability affects Firefox ESR versions prior to 140.10.2 and carries a critical CVSS score of 9.8 with network attack vector requiring no authentication or user interaction. Despite the critical severity, EPSS probability remains exceptionally low at 0.01% (0th percentile) with no evidence of active exploitation, suggesting limited awareness or exploitation complexity despite the automatable nature assessed by CISA SSVC framework. CRITICAL 9.8 0.0% 49
CVE-2026-12294 Sandbox escape in Mozilla Firefox's DOM Workers component allows remote attackers to break out of the browser's content process sandbox when a user visits a malicious web page. The flaw affects Firefox prior to 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, with no public exploit identified at time of analysis despite a critical 9.6 CVSS score. EPSS exploitation probability is low at 0.16% and CISA SSVC marks exploitation as 'none', suggesting no in-the-wild abuse has been observed yet. CRITICAL 9.6 0.2% 48
CVE-2026-12297 Sandbox escape in Mozilla Firefox and Firefox ESR allows a remote attacker to break out of the browser's content sandbox by exploiting incorrect boundary conditions in the Networking component, leading to full compromise of confidentiality, integrity, and availability on the host. Exploitation requires user interaction (e.g., visiting a malicious page), but with CVSS 9.6 and a scope change, successful exploitation crosses the renderer/host trust boundary. No public exploit identified at time of analysis, and EPSS is low (0.16%), consistent with the SSVC 'Exploitation: none' signal. CRITICAL 9.6 0.2% 48
CVE-2026-12295 Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. CRITICAL 9.6 0.2% 48
CVE-2026-12296 Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. CRITICAL 9.6 0.2% 48

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy