Mozilla Firefox vulnerabilities

3,029 known vulnerabilities affecting mozilla/firefox.

Total CVEs

3,029

CISA KEV

actively exploited

Public exploits

118

Exploited in wild

Severity breakdown

CRITICAL853HIGH879MEDIUM1228LOW69

Vulnerabilities

Page 5 of 152

CVE-2026-2765CRITICALCVSS 9.8fixed in 140.8.0fixed in 148.02026-02-24

CVE-2026-2765 [CRITICAL] CWE-416 CVE-2026-2765: Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Fire Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2792CRITICALCVSS 9.8fixed in 140.8.0fixed in 148.02026-02-24

CVE-2026-2792 [CRITICAL] CWE-787 CVE-2026-2792: Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thun

nvd

CVE-2026-2779CRITICALCVSS 9.8fixed in 140.8.0fixed in 148.02026-02-24

CVE-2026-2779 [CRITICAL] CWE-119 CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Fire Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2786CRITICALCVSS 9.8fixed in 140.8.0fixed in 148.02026-02-24

CVE-2026-2786 [CRITICAL] CWE-416 CVE-2026-2786: Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Fire Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2761CRITICALCVSS 10.0fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2761 [CRITICAL] CWE-693 CVE-2026-2761: Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Fi Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2757CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2757 [CRITICAL] CWE-1384 CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2785CRITICALCVSS 9.8fixed in 140.8.0fixed in 148.02026-02-24

CVE-2026-2785 [CRITICAL] CWE-824 CVE-2026-2785: Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Fir Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2787CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2787 [CRITICAL] CWE-416 CVE-2026-2787: Use-after-free in the DOM: Window and Location component. This vulnerability was fixed in Firefox 14 Use-after-free in the DOM: Window and Location component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2770CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2770 [CRITICAL] CWE-416 CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 148, Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2758CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2758 [CRITICAL] CWE-416 CVE-2026-2758: Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148, Firefox Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2788CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2788 [CRITICAL] CWE-119 CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Fir Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2771CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2771 [CRITICAL] CWE-125 CVE-2026-2771: Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, F Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2760CRITICALCVSS 10.0fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2760 [CRITICAL] CWE-1384 CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulne Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2764CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2764 [CRITICAL] CWE-416 CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability was f JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2772CRITICALCVSS 9.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2772 [CRITICAL] CWE-416 CVE-2026-2772: Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2797CRITICALCVSS 9.8fixed in 148.02026-02-24

CVE-2026-2797 [CRITICAL] CWE-416 CVE-2026-2797: Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thun Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

nvd

CVE-2026-2769HIGHCVSS 8.8fixed in 115.33.0fixed in 148.0+1 more2026-02-24

CVE-2026-2769 [HIGH] CWE-416 CVE-2026-2769: Use-after-free in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Fir Use-after-free in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2783HIGHCVSS 7.5fixed in 140.8.0fixed in 148.02026-02-24

CVE-2026-2783 [HIGH] CWE-843 CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulne Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

nvd

CVE-2026-2803HIGHCVSS 7.5fixed in 148.02026-02-24

CVE-2026-2803 [HIGH] CWE-200 CVE-2026-2803: Information disclosure, mitigation bypass in the Settings UI component. This vulnerability was fixed Information disclosure, mitigation bypass in the Settings UI component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

nvd

CVE-2026-2801HIGHCVSS 7.5fixed in 148.02026-02-24

CVE-2026-2801 [HIGH] CWE-754 CVE-2026-2801: Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

nvd

← Previous5 / 152Next →