Mozilla CVEs & Vulnerabilities

247 CVEs affecting Mozilla products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

firefox 242thunderbird 188firefox mobile 20din scanner 1firefox focus 1
CVE-2026-3889MEDIUM

Spoofing issue in Thunderbird. This vulnerability affects Thunderbird < 149 and Thunderbird < 140.9.

25 Mar 2026
6.5
CVSS
CVE-2026-4729CRITICAL

Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
9.8
CVSS
CVE-2026-4728MEDIUM

Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
6.5
CVSS
CVE-2026-4727HIGH

Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
7.5
CVSS
CVE-2026-4726HIGH

Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
7.5
CVSS
CVE-2026-4725CRITICAL

Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
10.0
CVSS
CVE-2026-4724CRITICAL

Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
9.1
CVSS
CVE-2026-4723CRITICAL

Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
9.8
CVSS
CVE-2026-4722HIGH

Privilege escalation in the IPC component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

24 Mar 2026
8.8
CVSS
CVE-2026-4721CRITICAL

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4720CRITICAL

Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4719HIGH

Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4718HIGH

Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
8.1
CVSS
CVE-2026-4717CRITICAL

Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4716CRITICAL

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.1
CVSS
CVE-2026-4715CRITICAL

Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.1
CVSS
CVE-2026-4714HIGH

Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4713HIGH

Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4712HIGH

Information disclosure in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4711CRITICAL

Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4710CRITICAL

Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4709HIGH

Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4708HIGH

Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4707HIGH

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4706HIGH

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4705CRITICAL

Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4704HIGH

Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4702CRITICAL

JIT miscompilation in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4701CRITICAL

Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4700CRITICAL

Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4699HIGH

Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4698CRITICAL

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4697HIGH

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4696CRITICAL

Use-after-free in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4695HIGH

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4694HIGH

Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4693HIGH

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4692CRITICAL

Sandbox escape in the Responsive Design Mode component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
10.0
CVSS
CVE-2026-4691CRITICAL

Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
9.8
CVSS
CVE-2026-4690HIGH

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
8.6
CVSS
CVE-2026-4689CRITICAL

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
10.0
CVSS
CVE-2026-4688CRITICAL

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
10.0
CVSS
CVE-2026-4687HIGH

Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
8.6
CVSS
CVE-2026-4686HIGH

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4685HIGH

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-4684HIGH

Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

24 Mar 2026
7.5
CVSS
CVE-2026-3847HIGH

Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148.0.2.

10 Mar 2026
8.8
CVSS
CVE-2026-3846MEDIUM

Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability affects Firefox < 148.0.2.

10 Mar 2026
6.5
CVSS