Mozilla CVEs & Vulnerabilities

247 CVEs affecting Mozilla products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

firefox 242thunderbird 188firefox mobile 2firefox focus 10din scanner 1
CVE-2026-14241CRITICAL

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152.0.4.

30 Jun 2026
9.8
CVSS
CVE-2026-53900MEDIUM

Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.

16 Jun 2026
4.3
CVSS
CVE-2026-53899MEDIUM

Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.

16 Jun 2026
6.5
CVSS
CVE-2026-12330MEDIUM

Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12.

16 Jun 2026
5.4
CVSS
CVE-2026-12329MEDIUM

Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.

16 Jun 2026
5.3
CVSS
CVE-2026-12328HIGH

Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
8.1
CVSS
CVE-2026-12327HIGH

Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
8.1
CVSS
CVE-2026-12326HIGH

Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
8.1
CVSS
CVE-2026-12325MEDIUM

Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
6.5
CVSS
CVE-2026-12324HIGH

Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
7.3
CVSS
CVE-2026-12323MEDIUM

Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
5.4
CVSS
CVE-2026-12322MEDIUM

Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
5.4
CVSS
CVE-2026-12321MEDIUM

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
5.4
CVSS
CVE-2026-12320MEDIUM

Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
4.3
CVSS
CVE-2026-12319MEDIUM

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
6.5
CVSS
CVE-2026-12318HIGH

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
7.3
CVSS
CVE-2026-12317HIGH

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
7.5
CVSS
CVE-2026-12316CRITICAL

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
9.1
CVSS
CVE-2026-12315CRITICAL

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
9.1
CVSS
CVE-2026-12314HIGH

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
7.5
CVSS
CVE-2026-12313MEDIUM

Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
4.7
CVSS
CVE-2026-12312HIGH

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
7.5
CVSS
CVE-2026-12311MEDIUM

Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
4.7
CVSS
CVE-2026-12310HIGH

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
7.5
CVSS
CVE-2026-12309MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
6.5
CVSS
CVE-2026-12308MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
5.3
CVSS
CVE-2026-12307MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
5.3
CVSS
CVE-2026-12306MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
5.3
CVSS
CVE-2026-12305HIGH

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
7.5
CVSS
CVE-2026-12304CRITICAL

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
9.1
CVSS
CVE-2026-12303MEDIUM

Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
4.3
CVSS
CVE-2026-12302MEDIUM

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
6.5
CVSS
CVE-2026-12301MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
5.3
CVSS
CVE-2026-12300MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
5.3
CVSS
CVE-2026-12299MEDIUM

JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
5.4
CVSS
CVE-2026-12298MEDIUM

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
5.4
CVSS
CVE-2026-12297CRITICAL

Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
9.6
CVSS
CVE-2026-12296CRITICAL

Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
9.6
CVSS
CVE-2026-12295CRITICAL

Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
9.6
CVSS
CVE-2026-12294CRITICAL

Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
9.6
CVSS
CVE-2026-12293CRITICAL

Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

16 Jun 2026
9.8
CVSS
CVE-2026-12292HIGH

Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
8.1
CVSS
CVE-2026-12291HIGH

Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
8.8
CVSS
CVE-2026-12290HIGH

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
8.1
CVSS
CVE-2026-12289HIGH

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

16 Jun 2026
8.8
CVSS
CVE-2026-10702MEDIUM

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.

2 Jun 2026
4.3
CVSS
CVE-2026-10701HIGH

Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 151.0.3.

2 Jun 2026
7.5
CVSS
CVE-2026-9309MEDIUM

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2.

1 Jun 2026
5.4
CVSS
← PrevPage 1 / 6Next →