Mozilla Firefox vulnerabilities
3,029 known vulnerabilities affecting mozilla/firefox.
Total CVEs
3,029
CISA KEV
15
actively exploited
Public exploits
118
Exploited in wild
20
Severity breakdown
CRITICAL853HIGH879MEDIUM1228LOW69
Vulnerabilities
Page 6 of 152
CVE-2026-2798HIGHCVSS 8.8fixed in 148.02026-02-24
CVE-2026-2798 [HIGH] CWE-416 CVE-2026-2798: Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Th
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
nvd
CVE-2026-2794HIGHCVSS 7.5fixed in 148.02026-02-24
CVE-2026-2794 [HIGH] CWE-908 CVE-2026-2794: Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vu
Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.
nvd
CVE-2026-2804MEDIUMCVSS 5.4fixed in 148.02026-02-24
CVE-2026-2804 [MEDIUM] CWE-416 CVE-2026-2804: Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
nvd
CVE-2026-2802MEDIUMCVSS 4.2fixed in 148.02026-02-24
CVE-2026-2802 [MEDIUM] CWE-362 CVE-2026-2802: Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thun
Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
nvd
CVE-2026-2447HIGHCVSS 8.8fixed in 115.32.1fixed in 147.0.4+1 more2026-02-16
CVE-2026-2447 [HIGH] CWE-122 CVE-2026-2447: Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1
Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.
nvd
CVE-2026-2032MEDIUMCVSS 4.3fixed in 147.2.12026-02-16
CVE-2026-2032 [MEDIUM] CWE-451 CVE-2026-2032: Malicious scripts that interrupt new tab page loading could cause desynchronization between the addr
Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.
nvd
CVE-2026-24869HIGHCVSS 8.8fixed in 147.0.22026-01-27
CVE-2026-24869 [HIGH] CWE-416 CVE-2026-24869: Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability was fixed in Fire
Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability was fixed in Firefox 147.0.2.
nvd
CVE-2026-24868MEDIUMCVSS 6.5fixed in 147.0.22026-01-27
CVE-2026-24868 [MEDIUM] CWE-693 CVE-2026-24868: Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 1
Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 147.0.2.
nvd
CVE-2026-0879CRITICALCVSS 9.8fixed in 115.32.0fixed in 147.0+1 more2026-01-13
CVE-2026-0879 [CRITICAL] CWE-119 CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability wa
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0892CRITICALCVSS 9.8fixed in 147.02026-01-13
CVE-2026-0892 [CRITICAL] CWE-119 CVE-2026-0892: Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
nvd
CVE-2026-0884CRITICALCVSS 9.8fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0884 [CRITICAL] CWE-416 CVE-2026-0884: Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Fire
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0881CRITICALCVSS 10.0fixed in 147.02026-01-13
CVE-2026-0881 [CRITICAL] CWE-284 CVE-2026-0881: Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Th
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
nvd
CVE-2026-0877HIGHCVSS 8.1fixed in 115.32.0fixed in 147.0+1 more2026-01-13
CVE-2026-0877 [HIGH] CWE-693 CVE-2026-0877: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firef
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0889HIGHCVSS 7.5fixed in 147.02026-01-13
CVE-2026-0889 [HIGH] CWE-400 CVE-2026-0889: Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147
Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
nvd
CVE-2026-0891HIGHCVSS 8.1fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0891 [HIGH] CWE-119 CVE-2026-0891: Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderb
nvd
CVE-2026-0880HIGHCVSS 8.8fixed in 115.32.0fixed in 147.0+1 more2026-01-13
CVE-2026-0880 [HIGH] CWE-190 CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Fi
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0878HIGHCVSS 8.0fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0878 [HIGH] CWE-20 CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vul
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0882HIGHCVSS 8.8fixed in 115.32.0fixed in 147.0+1 more2026-01-13
CVE-2026-0882 [HIGH] CWE-416 CVE-2026-0882: Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0885MEDIUMCVSS 6.5fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0885 [MEDIUM] CWE-416 CVE-2026-0885: Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvd
CVE-2026-0888MEDIUMCVSS 5.3fixed in 147.02026-01-13
CVE-2026-0888 [MEDIUM] CWE-200 CVE-2026-0888: Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunder
Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
nvd