Filtered by vendor Mozilla
Subscribe
Total
3457 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11716 | 2 Google, Mozilla | 3 Android, Firefox, Thunderbird | 2025-10-16 | N/A | 6.5 MEDIUM |
|
Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox < 144 and Thunderbird < 144.
|
|||||
| CVE-2025-11717 | 2 Google, Mozilla | 2 Android, Firefox | 2025-10-15 | N/A | 9.1 CRITICAL |
|
When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability affects Firefox < 144.
|
|||||
| CVE-2025-11718 | 2 Google, Mozilla | 2 Android, Firefox | 2025-10-15 | N/A | 6.5 MEDIUM |
|
When the address bar was hidden due to scrolling on Android, a malicious page could create a fake address bar to fool the user in response to a visibilitychange event This vulnerability affects Firefox < 144.
|
|||||
| CVE-2025-11720 | 2 Google, Mozilla | 2 Android, Firefox | 2025-10-15 | N/A | 8.1 HIGH |
|
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability affects Firefox < 144.
|
|||||
| CVE-2025-11721 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-10-15 | N/A | 9.8 CRITICAL |
|
Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144 and Thunderbird < 144.
|
|||||
| CVE-2023-0163 | 1 Mozilla | 1 Convict | 2025-10-15 | N/A | 8.4 HIGH |
|
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict.
This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.
The main use case of Convict is for handling server-side
configurations written by the admins owning the servers, and not random
users. So it's unlikely that an admin would deliberately sabo ...
Show More |
|||||
| CVE-2023-1521 | 1 Mozilla | 1 Sccache | 2025-10-15 | N/A | 7.8 HIGH |
|
On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD.
If the server is run as root (which is the default when installing the snap package https://snapcraft.io/sccache ), this means a user running the sccache client can get root privileges.
|
|||||
| CVE-2025-11153 | 1 Mozilla | 1 Firefox | 2025-10-13 | N/A | 7.5 HIGH |
|
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 143.0.3.
|
|||||
| CVE-2025-10859 | 1 Mozilla | 1 Firefox | 2025-10-03 | N/A | 4.0 MEDIUM |
|
Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs This vulnerability affects Firefox for iOS < 143.1.
|
|||||
| CVE-2025-8038 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-09-29 | N/A | 9.8 CRITICAL |
|
Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
|
|||||
| CVE-2025-1939 | 1 Mozilla | 1 Firefox | 2025-09-29 | N/A | 3.9 LOW |
|
Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136.
|
|||||
| CVE-2024-6600 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-09-26 | N/A | 6.3 MEDIUM |
|
Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on macOS. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.
|
|||||
| CVE-2025-4090 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-09-23 | N/A | 5.3 MEDIUM |
|
A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.
|
|||||
| CVE-2025-10290 | 1 Mozilla | 1 Firefox Focus | 2025-09-19 | N/A | 6.5 MEDIUM |
|
Opening links via the contextual menu in Focus iOS for certain URL schemes would fail to load but would not refresh the toolbar correctly, allowing attackers to spoof websites if users were coerced into opening a link explicitly through a long-press This vulnerability affects Focus for iOS < 143.0.
|
|||||
| CVE-2025-5262 | 1 Mozilla | 1 Thunderbird | 2025-09-19 | N/A | 7.5 HIGH |
|
A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.
|
|||||
| CVE-2025-8041 | 2 Google, Mozilla | 2 Android, Firefox | 2025-09-19 | N/A | 5.3 MEDIUM |
|
In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability affects Firefox < 141.
|
|||||
| CVE-2025-8042 | 2 Google, Mozilla | 2 Android, Firefox | 2025-09-19 | N/A | 9.8 CRITICAL |
|
Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141.
|
|||||
| CVE-2025-54143 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 9.8 CRITICAL |
|
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page This vulnerability affects Firefox for iOS < 141.
|
|||||
| CVE-2025-54144 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 5.4 MEDIUM |
|
The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link This vulnerability affects Firefox for iOS < 141.
|
|||||
| CVE-2025-54145 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 9.1 CRITICAL |
|
The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme This vulnerability affects Firefox for iOS < 141.
|
|||||
| CVE-2025-55028 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.5 MEDIUM |
|
Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks This vulnerability affects Firefox for iOS < 142.
|
|||||
| CVE-2025-55029 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 7.5 HIGH |
|
Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.
|
|||||
| CVE-2025-55030 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142.
|
|||||
| CVE-2025-55031 | 1 Mozilla | 2 Firefox, Firefox Focus | 2025-08-21 | N/A | 9.8 CRITICAL |
|
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.
|
|||||
| CVE-2025-55032 | 1 Mozilla | 1 Firefox Focus | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS < 142.
|
|||||
| CVE-2025-55033 | 1 Mozilla | 1 Firefox Focus | 2025-08-21 | N/A | 6.1 MEDIUM |
|
Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142.
|
|||||
| CVE-2025-8364 | 2 Google, Mozilla | 2 Android, Firefox | 2025-08-21 | N/A | 4.3 MEDIUM |
|
A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.
*Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 141.
|
|||||
| CVE-2025-9183 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.5 MEDIUM |
|
Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2.
|
|||||
| CVE-2025-9184 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 8.1 HIGH |
|
Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
|
|||||
| CVE-2025-9186 | 1 Mozilla | 1 Firefox | 2025-08-21 | N/A | 6.5 MEDIUM |
|
Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142.
|
|||||
| CVE-2025-9187 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-08-21 | N/A | 9.8 CRITICAL |
|
Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142 and Thunderbird < 142.
|
|||||
| CVE-2025-8040 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-30 | N/A | 8.8 HIGH |
|
Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
|
|||||
| CVE-2025-8037 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-28 | N/A | 9.1 CRITICAL |
|
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
|
|||||
| CVE-2025-8044 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-28 | N/A | 9.8 CRITICAL |
|
Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141 and Thunderbird < 141.
|
|||||
| CVE-2025-8043 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-28 | N/A | 9.8 CRITICAL |
|
Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141.
|
|||||
| CVE-2025-8039 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-28 | N/A | 8.1 HIGH |
|
In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
|
|||||
| CVE-2024-2612 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-17 | N/A | 8.1 HIGH |
|
If an attacker could find a way to trigger a particular code path in `SafeRefPtr`, it could have triggered a crash or potentially be leveraged to achieve code execution. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
|
|||||
| CVE-2024-6607 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-07-16 | N/A | 8.8 HIGH |
|
It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `<select>` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128 and Thunderbird < 128.
|
|||||
| CVE-2025-6434 | 1 Mozilla | 1 Firefox | 2025-07-14 | N/A | 4.3 MEDIUM |
|
The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140.
|
|||||
| CVE-2025-6433 | 1 Mozilla | 1 Firefox | 2025-07-14 | N/A | 9.8 CRITICAL |
|
If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140.
|
|||||