Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 62 of 78
CVE-2021-43532P4MEDIUMCVSS 6.1fixed in firefox 94.0-1 (sid)2021
CVE-2021-43532 [MEDIUM] CVE-2021-43532: firefox - The 'Copy Image Link' context menu action would copy the final image URL after r...
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tri
debian
CVE-2024-5698P4MEDIUMCVSS 6.1fixed in firefox 127.0-1 (sid)2024
CVE-2024-5698 [MEDIUM] CVE-2024-5698: firefox - By manipulating the fullscreen feature while opening a data-list, an attacker co...
By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 127.
Scope: local
sid: resolved (fixed in 127.0-1)
debian
CVE-2016-9071P4MEDIUMCVSS 5.3fixed in firefox 50.0-1 (sid)2016
CVE-2016-9071 [MEDIUM] CVE-2016-9071: firefox - Content Security Policy combined with HTTP to HTTPS redirection can be used by m...
Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history. This vulnerability affects Firefox < 50.
Scope: local
sid: resolved (fixed in 50.0-1)
debian
CVE-2024-4769P4MEDIUMCVSS 5.9fixed in firefox 126.0-1 (sid)2024
CVE-2024-4769 [MEDIUM] CVE-2024-4769: firefox - When importing resources using Web Workers, error messages would distinguish the...
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
Scope: local
sid: resolved (fixed in 126.0-1)
debian
CVE-2018-5107P4MEDIUMCVSS 5.3fixed in firefox 58.0-1 (sid)2018
CVE-2018-5107 [MEDIUM] CVE-2018-5107: firefox - The printing process can bypass local access protections to read files available...
The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information could be exposed. This vulnerability affects Firefox < 58.
Scope: local
sid: resolved (fixed
debian
CVE-2017-7822P4MEDIUMCVSS 5.3fixed in firefox 56.0-1 (sid)2017
CVE-2017-7822 [MEDIUM] CVE-2017-7822: firefox - The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should r...
The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox < 56.
Scope: local
sid: resolved (fixed in 56.0-1)
debian
CVE-2017-7815P4MEDIUMCVSS 5.3fixed in firefox 56.0-1 (sid)2017
CVE-2017-7815 [MEDIUM] CVE-2017-7815: firefox - On pages containing an iframe, the "data:" protocol can be used to create a moda...
On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view. Note: This attack only affects installations with e10 multiprocess turned off. Installations with e10s turned on do not support the mod
debian
CVE-2025-0238P4MEDIUMCVSS 5.3fixed in firefox 134.0-1 (sid)2025
CVE-2025-0238 [MEDIUM] CVE-2025-0238: firefox - Assuming a controlled failed memory allocation, an attacker could have caused a ...
Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6.
Scope: local
sid: resolved (fixed in 134.0-1)
debian
CVE-2025-5283P4MEDIUMCVSS 5.4fixed in chromium 137.0.7151.55-3~deb12u1 (bookworm)2025
CVE-2025-5283 [MEDIUM] CVE-2025-5283: chromium - Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remot...
Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Scope: local
bookworm: resolved (fixed in 137.0.7151.55-3~deb12u1)
bullseye: open
forky: resolved (fixed in 137.0.7151.55-1)
sid: resolved (fixed in 137.0.7151.55-1)
trixie: r
debian
CVE-2023-5722P4MEDIUMCVSS 5.3fixed in firefox 119.0-1 (sid)2023
CVE-2023-5722 [MEDIUM] CVE-2023-5722: firefox - Using iterative requests an attacker was able to learn the size of an opaque res...
Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header. This vulnerability affects Firefox < 119.
Scope: local
sid: resolved (fixed in 119.0-1)
debian
CVE-2026-2804P4MEDIUMCVSS 5.4fixed in firefox 148.0-1 (sid)2026
CVE-2026-2804 [MEDIUM] CVE-2026-2804: firefox - Use-after-free in the JavaScript: WebAssembly component. This vulnerability affe...
Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2026-0886P4MEDIUMCVSS 5.3fixed in firefox 147.0-1 (sid)2026
CVE-2026-0886 [MEDIUM] CVE-2026-0886: firefox - Incorrect boundary conditions in the Graphics component. This vulnerability affe...
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Scope: local
sid: resolved (fixed in 147.0-1)
debian
CVE-2026-0883P4MEDIUMCVSS 5.3fixed in firefox 147.0-1 (sid)2026
CVE-2026-0883 [MEDIUM] CVE-2026-0883: firefox - Information disclosure in the Networking component. This vulnerability affects F...
Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Scope: local
sid: resolved (fixed in 147.0-1)
debian
CVE-2026-0888P4MEDIUMCVSS 5.3fixed in firefox 147.0-1 (sid)2026
CVE-2026-0888 [MEDIUM] CVE-2026-0888: firefox - Information disclosure in the XML component. This vulnerability affects Firefox ...
Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Scope: local
sid: resolved (fixed in 147.0-1)
debian
CVE-2024-10460P4MEDIUMCVSS 5.3fixed in firefox 132.0-1 (sid)2024
CVE-2024-10460 [MEDIUM] CVE-2024-10460: firefox - The origin of an external protocol handler prompt could have been obscured using...
The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Scope: local
sid: resolved (fixed in 132.0-1)
debian
CVE-2016-2822P4MEDIUMCVSS 6.5fixed in firefox 47.0-1 (sid)2016
CVE-2016-2822 [MEDIUM] CVE-2016-2822: firefox - Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attack...
Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to spoof the address bar via a SELECT element with a persistent menu.
Scope: local
sid: resolved (fixed in 47.0-1)
debian
CVE-2021-23973P4MEDIUMCVSS 6.5fixed in firefox 86.0-1 (sid)2021
CVE-2021-23973 [MEDIUM] CVE-2021-23973: firefox - When trying to load a cross-origin resource in an audio/video context a decoding...
When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.
Scope: local
sid: resolved (fixed in 86.0-1)
debian
CVE-2017-5420P4MEDIUMCVSS 6.5fixed in firefox 52.0-1 (sid)2017
CVE-2017-5420 [MEDIUM] CVE-2017-5420: firefox - A "javascript:" url loaded by a malicious page can obfuscate its location by bla...
A "javascript:" url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the addressbar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly. This vulnerability affects Firefox < 52.
Scope: local
sid: resolved (fixed in 52.0-1)
debian
CVE-2020-15648P4MEDIUMCVSS 6.5fixed in firefox 78.0.2-1 (sid)2020
CVE-2020-15648 [MEDIUM] CVE-2020-15648: firefox - Using object or embed tags, it was possible to frame other websites, even if the...
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
Scope: local
sid: resolved (fixed in 78.0.2-1)
debian
CVE-2020-6798P4MEDIUMCVSS 6.1fixed in firefox 73.0-1 (sid)2020
CVE-2020-6798 [MEDIUM] CVE-2020-6798: firefox - If a template tag was used in a select tag, the parser could be confused and all...
If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be exploited through email in the Thunderbird product because scripting is d
debian