Mozilla CVEs & Vulnerabilities

247 CVEs affecting Mozilla products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

firefox 242thunderbird 188firefox mobile 2firefox focus 10din scanner 1
CVE-2026-7321CRITICAL

Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.

28 Apr 2026
9.6
CVSS
CVE-2026-7320HIGH

Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.

28 Apr 2026
7.5
CVSS
CVE-2026-6786HIGH

Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
8.1
CVSS
CVE-2026-6785HIGH

Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
8.1
CVSS
CVE-2026-6784HIGH

Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6783MEDIUM

Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
5.3
CVSS
CVE-2026-6782HIGH

Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6781HIGH

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6780HIGH

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6779MEDIUM

Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
5.3
CVSS
CVE-2026-6778MEDIUM

Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
5.3
CVSS
CVE-2026-6777MEDIUM

Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
5.3
CVSS
CVE-2026-6776HIGH

Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.8
CVSS
CVE-2026-6775MEDIUM

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
5.3
CVSS
CVE-2026-6774MEDIUM

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
5.4
CVSS
CVE-2026-6773HIGH

Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6772HIGH

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-6771CRITICAL

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
9.8
CVSS
CVE-2026-6770MEDIUM

Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
6.5
CVSS
CVE-2026-6769HIGH

Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
8.8
CVSS
CVE-2026-6768CRITICAL

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
9.8
CVSS
CVE-2026-6767MEDIUM

Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
5.3
CVSS
CVE-2026-6766HIGH

Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-6765MEDIUM

Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
5.3
CVSS
CVE-2026-6764MEDIUM

Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
6.5
CVSS
CVE-2026-6763MEDIUM

Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
6.5
CVSS
CVE-2026-6762MEDIUM

Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
6.3
CVSS
CVE-2026-6761HIGH

Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
8.8
CVSS
CVE-2026-6760CRITICAL

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
9.8
CVSS
CVE-2026-6759HIGH

Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-6758HIGH

Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6757MEDIUM

Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
6.3
CVSS
CVE-2026-6756HIGH

Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.

21 Apr 2026
7.5
CVSS
CVE-2026-6755MEDIUM

Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

21 Apr 2026
6.5
CVSS
CVE-2026-6754HIGH

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-6753HIGH

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.3
CVSS
CVE-2026-6752HIGH

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.3
CVSS
CVE-2026-6751HIGH

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.3
CVSS
CVE-2026-6750HIGH

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
8.8
CVSS
CVE-2026-6749HIGH

Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-6748CRITICAL

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
9.8
CVSS
CVE-2026-6747HIGH

Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-6746HIGH

Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

21 Apr 2026
7.5
CVSS
CVE-2026-5735CRITICAL

Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

7 Apr 2026
9.8
CVSS
CVE-2026-5734CRITICAL

Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

7 Apr 2026
9.8
CVSS
CVE-2026-5733HIGH

Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

7 Apr 2026
8.8
CVSS
CVE-2026-5732HIGH

Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

7 Apr 2026
8.8
CVSS
CVE-2026-4371HIGH

A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability affects Thunderbird < 149 and Thunderbird < 140.9.

25 Mar 2026
7.4
CVSS