Mozilla Firefox vulnerabilities

CVE-2026-8388 [MEDIUM] CWE-119 CVE-2026-8388: Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

CVE-2026-8391 [MEDIUM] CWE-20 CVE-2026-8391: Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Fir Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.

CVE-2026-8094 [CRITICAL] CWE-94 CVE-2026-8094: Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunde Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.

CVE-2026-8091 [CRITICAL] CWE-754 CVE-2026-8091: Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed i Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.

CVE-2026-8092 [HIGH] CWE-125 CVE-2026-8092: Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some o Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbir

CVE-2026-8090 [HIGH] CWE-416 CVE-2026-8090: Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Fi Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.

CVE-2026-8093 [HIGH] CWE-119 CVE-2026-8093: Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corrupti Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2.

CVE-2026-7321 [CRITICAL] CWE-120 CVE-2026-7321: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulner Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.

CVE-2026-7324 [HIGH] CWE-119 CVE-2026-7324: Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corr Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.

CVE-2026-7322 [HIGH] CWE-119 CVE-2026-7322: Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs s Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and

CVE-2026-7320 [HIGH] CWE-119 CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulne Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.

CVE-2026-7323 [HIGH] CWE-119 CVE-2026-7323: Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs s Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.

CVE-2026-6785 [HIGH] CWE-125 CVE-2026-6785: Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox

CVE-2026-6786 [HIGH] CWE-125 CVE-2026-6786: Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunder

CVE-2026-41907 [HIGH] CWE-787 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality A flaw was found in uuid. The library's versions v3, v5, and v6 do not adequately check the size of external memory buffers provided by applications. This oversight allows the library to write data beyond the designated buffer limits without signaling an error. Such out-of-bounds writes can

CVE-2026-41305 [MEDIUM] CWE-79 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `` tags, it fails to properly escape `` sequences. This oversight

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-6771 [CRITICAL] CWE-288 CVE-2026-6771: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firef Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6748 [CRITICAL] CWE-457 CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firef Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6768 [CRITICAL] CWE-288 CVE-2026-6768: Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.