Mozilla Firefox Open source web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Firefox.
Recent Mozilla Firefox Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-57 | Security Vulnerabilities fixed in Firefox 152 mfsa2026-57 | June 16, 2026 |
| mfsa2026-58 | Security Vulnerabilities fixed in Firefox ESR 140.12 mfsa2026-58 | June 16, 2026 |
| mfsa2026-59 | Security Vulnerabilities fixed in Firefox ESR 115.37 mfsa2026-59 | June 16, 2026 |
| mfsa2026-56 | Security Vulnerabilities fixed in Firefox for iOS 152.0 mfsa2026-56 | June 16, 2026 |
| mfsa2026-54 | Security Vulnerabilities fixed in Firefox 151.0.3 mfsa2026-54 | June 2, 2026 |
| mfsa2026-53 | Security Vulnerabilities fixed in Firefox for iOS 151.2 mfsa2026-53 | June 1, 2026 |
| mfsa2026-52 | Security Vulnerabilities fixed in Firefox for iOS 151.1 mfsa2026-52 | May 25, 2026 |
| mfsa2026-49 | Security Vulnerabilities fixed in Firefox for iOS 151.0 mfsa2026-49 | May 19, 2026 |
| mfsa2026-48 | Security Vulnerabilities fixed in Firefox ESR 140.11 mfsa2026-48 | May 19, 2026 |
| mfsa2026-47 | Security Vulnerabilities fixed in Firefox ESR 115.36 mfsa2026-47 | May 19, 2026 |
Known Exploited Mozilla Firefox Vulnerabilities
The following Mozilla Firefox vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process. CVE-2024-9680 Exploit Probability: 32.6% |
October 15, 2024 |
| Mozilla Firefox Security Feature Bypass Vulnerability |
Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges. CVE-2015-4495 Exploit Probability: 70.2% |
May 25, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. CVE-2022-26486 Exploit Probability: 2.3% |
March 7, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. CVE-2022-26485 Exploit Probability: 14.3% |
March 7, 2022 |
| Mozilla Firefox Information Disclosure Vulnerability |
Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. CVE-2013-1675 Exploit Probability: 6.7% |
March 3, 2022 |
The vulnerability CVE-2015-4495: Mozilla Firefox Security Feature Bypass Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 2 known exploited Mozilla Firefox vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Mozilla Firefox. Here are some end of life, and end of support dates for Mozilla Firefox.
| Release | EOL Date | Status |
|---|---|---|
| 152 | - |
Active
|
| 151 | June 16, 2026 |
EOL
Mozilla Firefox 151 became EOL in 2026. |
| 150 | May 18, 2026 |
EOL
Mozilla Firefox 150 became EOL in 2026. |
| 149 | April 21, 2026 |
EOL
Mozilla Firefox 149 became EOL in 2026. |
| 148 | March 24, 2026 |
EOL
Mozilla Firefox 148 became EOL in 2026. |
| 147 | February 24, 2026 |
EOL
Mozilla Firefox 147 became EOL in 2026. |
| 146 | January 13, 2026 |
EOL
Mozilla Firefox 146 became EOL in 2026. |
| 145 | December 9, 2025 |
EOL
Mozilla Firefox 145 became EOL in 2025. |
| 144 | November 11, 2025 |
EOL
Mozilla Firefox 144 became EOL in 2025. |
| 143 | October 14, 2025 |
EOL
Mozilla Firefox 143 became EOL in 2025. |
| 142 | September 16, 2025 |
EOL
Mozilla Firefox 142 became EOL in 2025. |
| 141 | August 19, 2025 |
EOL
Mozilla Firefox 141 became EOL in 2025. |
| 140 | September 16, 2026 |
EOL This Year
Mozilla Firefox 140 will become EOL this year, in September 2026. |
| 139 | June 24, 2025 |
EOL
Mozilla Firefox 139 became EOL in 2025. |
| 138 | May 27, 2025 |
EOL
Mozilla Firefox 138 became EOL in 2025. |
| 137 | April 29, 2025 |
EOL
Mozilla Firefox 137 became EOL in 2025. |
| 136 | April 1, 2025 |
EOL
Mozilla Firefox 136 became EOL in 2025. |
| 135 | March 4, 2025 |
EOL
Mozilla Firefox 135 became EOL in 2025. |
| 134 | February 4, 2025 |
EOL
Mozilla Firefox 134 became EOL in 2025. |
| 133 | January 7, 2025 |
EOL
Mozilla Firefox 133 became EOL in 2025. |
By the Year
In 2026 there have been 262 vulnerabilities in Mozilla Firefox with an average score of 7.9 out of ten. Last year, in 2025 Firefox had 189 security vulnerabilities published. That is, 73 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.36.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 262 | 7.91 |
| 2025 | 189 | 7.54 |
| 2024 | 190 | 7.15 |
| 2023 | 180 | 7.38 |
| 2022 | 159 | 7.44 |
| 2021 | 123 | 7.13 |
| 2020 | 148 | 7.27 |
| 2019 | 121 | 7.44 |
| 2018 | 312 | 7.82 |
It may take a day or so for new Firefox vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Firefox Security Vulnerabilities
Cookies Across Redirect in Firefox iOS before 152.0 (TemporaryDocument)
CVE-2026-53900
4.3 - Medium
- June 16, 2026
Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0.
Insufficient Verification of Data Authenticity
Firefox-iOS 152.0 & Before: Partial Domain Matching Cookie Leak in PDF Requests
CVE-2026-53899
6.5 - Medium
- June 16, 2026
Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.
Insufficient Verification of Data Authenticity
Firefox ESR 115.37/140.12: I18N Boundary Condition Flaw
CVE-2026-12330
5.4 - Medium
- June 16, 2026
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12.
Buffer Overflow
CVE-2026-12329: Firefox ESR 140.12 Memory Safety Bug
CVE-2026-12329
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.
Buffer Overflow
Firefox ESR 115.36115.37, ESR 140.11140.12 & 151 Memory Corruption (Arbitrary Code)
CVE-2026-12328
8.1 - High
- June 16, 2026
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Classic Buffer Overflow
MemorySafety Bugs in Firefox 151 & Thunderbird 151, Fixed in 152
CVE-2026-12327
7.3 - High
- June 16, 2026
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory Corruption in Firefox/Thunderbird 151 Enables RCE
CVE-2026-12326
7.3 - High
- June 16, 2026
Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
DoS via ImageLib in Firefox 152 & ESR 140.12/115.37 (fixed)
CVE-2026-12325
6.5 - Medium
- June 16, 2026
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Resource Exhaustion
Graphics: CanvasWebGL Boundary Condition Vulnerability in Firefox <152
CVE-2026-12324
7.3 - High
- June 16, 2026
Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Improper Check or Handling of Exceptional Conditions
Firefox DOM: Core & HTML Spoofing Vulnerability (CVE-2026-12323)
CVE-2026-12323
5.4 - Medium
- June 16, 2026
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Clickjacking
Clickjacking via Firefox GTK Widget
CVE-2026-12322
5.4 - Medium
- June 16, 2026
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Clickjacking
Firefox JIT miscompilation in JS WebAssembly component (CVE-2026-12321)
CVE-2026-12321
5.4 - Medium
- June 16, 2026
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Always-Incorrect Control Flow Implementation
Info Disclosure in FF Password Manager
CVE-2026-12320
4.3 - Medium
- June 16, 2026
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Information Disclosure
DoS via Audio/Video Playback in Firefox 152 (Mozilla)
CVE-2026-12319
6.5 - Medium
- June 16, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Resource Exhaustion
Moz NSS: Boundary Condition Flaw in Libraries Component
CVE-2026-12318
7.3 - High
- June 16, 2026
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
Memory Safety Vulnerability in Firefox 152
CVE-2026-12317
7.5 - High
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
DOM Mitigation Bypass in Firefox Security Component
CVE-2026-12316
9.1 - Critical
- June 16, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Protection Mechanism Failure
Firefox 152 DOM Mitigation Bypass in Security Component
CVE-2026-12315
9.1 - Critical
- June 16, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
Firefox Memory Safety Bug - Fixed in v152, ESR 140.12
CVE-2026-12314
7.5 - High
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
CVE-2026-12313: Info Disclosure via Sandbox Escape in Process Sandboxing (Pre-152)
CVE-2026-12313
4.7 - Medium
- June 16, 2026
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Improper Privilege Management
Firefox 152: Memory Safety Bug Fixed ESR 140.12 Update
CVE-2026-12312
7.5 - High
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Firefox 152/140.12 Process Sandboxing Disclosure & Sandbox Escape
CVE-2026-12311
4.7 - Medium
- June 16, 2026
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Function Call With Incorrect Variable or Reference as Argument
Firefox 152 Memory Safety Bug (CVE-2026-12310)
CVE-2026-12310
7.5 - High
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory safety bug in Firefox <152, fixed in 152 & ESR 140.12
CVE-2026-12309
6.5 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory safety bug in Firefox before 152 (ESR 140.12)
CVE-2026-12308
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
CVE-2026-12307: Memory safety bug in Firefox <152 (ESR 140.12) fixed
CVE-2026-12307
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Firefox 152 MemSafe Bug Fixed
CVE-2026-12306
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory safety bug before Firefox 152, fixed in 152 & ESR 140.12
CVE-2026-12305
7.5 - High
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Same-origin Policy Bypass in Firefox Networking:Cookies (before FF 152)
CVE-2026-12304
9.1 - Critical
- June 16, 2026
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Origin Validation Error
CVE-2026-12303 Info Disclosure via WebGPU Boundary Conditions in Firefox
CVE-2026-12303
4.3 - Medium
- June 16, 2026
Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Out-of-bounds Read
Firefox Mitigation Bypass in DOM Component before 152 / ESR 140.12 / 115.37
CVE-2026-12302
6.5 - Medium
- June 16, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
Firefox 152 Memory Safety Vulnerability
CVE-2026-12301
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
Firefox mem safety bug CVE-2026-12300 fixed in v152
CVE-2026-12300
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
Firefox JIT Miscompilation in DOM Core & HTML (before 152, ESR 140.12, 115.37)
CVE-2026-12299
5.4 - Medium
- June 16, 2026
JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Object Type Confusion
Memory safety bug in Firefox before 152 (fixed in 152)
CVE-2026-12298
5.4 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Out-of-bounds Read
Firefox Sandbox Escape (Networking Boundary, pre-152)
CVE-2026-12297
- June 16, 2026
Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Firefox 152 Sandbox Escape in Process Sandboxing Component
CVE-2026-12296
- June 16, 2026
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Sandbox Esc. in DOM Nav. - Firefox <152 (ESR 140.12/115.37)
CVE-2026-12295
- June 16, 2026
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Firefox Sandbox Escape via DOM Workers (pre-152, ESR 140.12, ESR 115.37)
CVE-2026-12294
- June 16, 2026
Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
UAF in Firefox 152 WebGPU
CVE-2026-12293
- June 16, 2026
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
CVE-2026-12292: Firefox Web Audio boundary flaw (v<152)
CVE-2026-12292
- June 16, 2026
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Use-after-free in Firefox Networking HTTP before 152
CVE-2026-12291
- June 16, 2026
Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Firefox Memory Safety bug fixed in 152 ESR 140.12/115.37
CVE-2026-12290
- June 16, 2026
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Firefox WebRender Privilege Escalation before 152
CVE-2026-12289
8.8 - High
- June 16, 2026
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Improper Privilege Management
Firefox JIT miscompilation before v151.0.3
CVE-2026-10702
4.3 - Medium
- June 02, 2026
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.
Object Type Confusion
Firefox 151.0.3 - Graphics Text boundary error (CVE-2026-10701)
CVE-2026-10701
7.5 - High
- June 02, 2026
Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 151.0.3.
Buffer Overflow
Firefox iOS Reader View XSS via JSONLD (fixed in v151.2)
CVE-2026-9309
5.4 - Medium
- June 01, 2026
Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2.
XSS
CVE-2026-9308: Firefox iOS Reader View Templating flaw -> arbitrary JS exec before 151.2
CVE-2026-9308
5.4 - Medium
- June 01, 2026
Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2.
XSS
Firefox for iOS 151.1: RTL/IDN Link Preview Spoof Vulnerability
CVE-2026-9078
5.4 - Medium
- May 25, 2026
Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1.
User Interface (UI) Misrepresentation of Critical Information
Firefox iOS 151.0 Reader Mode Local Server SSRF
CVE-2026-8706
6.5 - Medium
- May 19, 2026
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.
Missing Authentication for Critical Function
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Firefox or by Mozilla? Click the Watch button to subscribe.
