Mozilla CVEs & Vulnerabilities

247 CVEs affecting Mozilla products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

firefox 242thunderbird 188firefox mobile 2firefox focus 10din scanner 1
CVE-2026-3845HIGH

Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability affects Firefox < 148.0.2.

10 Mar 2026
8.8
CVSS
CVE-2026-2807CRITICAL

Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2806CRITICAL

Uninitialized memory in the Graphics: Text component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.1
CVSS
CVE-2026-2805CRITICAL

Invalid pointer in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2804MEDIUM

Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
5.4
CVSS
CVE-2026-2803HIGH

Information disclosure, mitigation bypass in the Settings UI component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
7.5
CVSS
CVE-2026-2802MEDIUM

Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
4.2
CVSS
CVE-2026-2801HIGH

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
7.5
CVSS
CVE-2026-2800CRITICAL

Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2799CRITICAL

Use-after-free in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2798HIGH

Use-after-free in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
8.8
CVSS
CVE-2026-2797CRITICAL

Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2796CRITICAL

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2795CRITICAL

Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.

24 Feb 2026
9.8
CVSS
CVE-2026-2794HIGH

Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability affects Firefox < 148.

24 Feb 2026
7.5
CVSS
CVE-2026-2793CRITICAL

Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2792CRITICAL

Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2791CRITICAL

Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2790CRITICAL

Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2789CRITICAL

Use-after-free in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2788CRITICAL

Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2787CRITICAL

Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2786CRITICAL

Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2785CRITICAL

Invalid pointer in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2784CRITICAL

Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2783HIGH

Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
7.5
CVSS
CVE-2026-2782CRITICAL

Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2781CRITICAL

Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2780CRITICAL

Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2779CRITICAL

Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2778CRITICAL

Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
10.0
CVSS
CVE-2026-2777CRITICAL

Privilege escalation in the Messaging System component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2776CRITICAL

Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
10.0
CVSS
CVE-2026-2775CRITICAL

Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2774CRITICAL

Integer overflow in the Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2773CRITICAL

Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2772CRITICAL

Use-after-free in the Audio/Video: Playback component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2771CRITICAL

Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2770CRITICAL

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2769HIGH

Use-after-free in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
8.8
CVSS
CVE-2026-2768CRITICAL

Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
10.0
CVSS
CVE-2026-2767CRITICAL

Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2766CRITICAL

Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2765CRITICAL

Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2764CRITICAL

JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2763CRITICAL

Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2762CRITICAL

Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
9.8
CVSS
CVE-2026-2761CRITICAL

Sandbox escape in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026
10.0
CVSS