Mozilla Firefox Open source web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Firefox.
Recent Mozilla Firefox Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-15 | Security Vulnerabilities fixed in Firefox ESR 140.8 mfsa2026-15 | February 24, 2026 |
| mfsa2026-14 | Security Vulnerabilities fixed in Firefox ESR 115.33 mfsa2026-14 | February 24, 2026 |
| mfsa2026-13 | Security Vulnerabilities fixed in Firefox 148 mfsa2026-13 | February 24, 2026 |
| mfsa2026-12 | Security Vulnerabilities fixed in Firefox for iOS 147.4 mfsa2026-12 | February 20, 2026 |
| mfsa2026-09 | Security Vulnerabilities fixed in Firefox for iOS 147.2.1 mfsa2026-09 | February 9, 2026 |
| mfsa2026-06 | Security Vulnerabilities fixed in Firefox 147.0.2 mfsa2026-06 | January 27, 2026 |
| mfsa2026-02 | Security Vulnerabilities fixed in Firefox ESR 115.32 mfsa2026-02 | January 13, 2026 |
| mfsa2026-03 | Security Vulnerabilities fixed in Firefox ESR 140.7 mfsa2026-03 | January 13, 2026 |
| mfsa2026-01 | Security Vulnerabilities fixed in Firefox 147 mfsa2026-01 | January 13, 2026 |
| mfsa2025-98 | Security Vulnerabilities fixed in Firefox 146.0.1 mfsa2025-98 | December 18, 2025 |
Known Exploited Mozilla Firefox Vulnerabilities
The following Mozilla Firefox vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process. CVE-2024-9680 Exploit Probability: 30.8% |
October 15, 2024 |
| Mozilla Firefox Security Feature Bypass Vulnerability |
Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges. CVE-2015-4495 Exploit Probability: 71.6% |
May 25, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. CVE-2022-26486 Exploit Probability: 2.2% |
March 7, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. CVE-2022-26485 Exploit Probability: 7.1% |
March 7, 2022 |
| Mozilla Firefox Information Disclosure Vulnerability |
Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. CVE-2013-1675 Exploit Probability: 4.7% |
March 3, 2022 |
2 known exploited Mozilla Firefox vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Mozilla Firefox. Here are some end of life, and end of support dates for Mozilla Firefox.
| Release | EOL Date | Status |
|---|---|---|
| 148 | - |
Active
|
| 147 | February 24, 2026 |
EOL
Mozilla Firefox 147 became EOL in 2026. |
| 146 | January 13, 2026 |
EOL
Mozilla Firefox 146 became EOL in 2026. |
| 145 | December 9, 2025 |
EOL
Mozilla Firefox 145 became EOL in 2025. |
| 144 | November 11, 2025 |
EOL
Mozilla Firefox 144 became EOL in 2025. |
| 143 | October 14, 2025 |
EOL
Mozilla Firefox 143 became EOL in 2025. |
| 142 | September 16, 2025 |
EOL
Mozilla Firefox 142 became EOL in 2025. |
| 141 | August 19, 2025 |
EOL
Mozilla Firefox 141 became EOL in 2025. |
| 140 | September 16, 2026 |
EOL This Year
Mozilla Firefox 140 will become EOL this year, in September 2026. |
| 139 | June 24, 2025 |
EOL
Mozilla Firefox 139 became EOL in 2025. |
| 138 | May 27, 2025 |
EOL
Mozilla Firefox 138 became EOL in 2025. |
| 137 | April 29, 2025 |
EOL
Mozilla Firefox 137 became EOL in 2025. |
| 136 | April 1, 2025 |
EOL
Mozilla Firefox 136 became EOL in 2025. |
| 135 | March 4, 2025 |
EOL
Mozilla Firefox 135 became EOL in 2025. |
| 134 | February 4, 2025 |
EOL
Mozilla Firefox 134 became EOL in 2025. |
| 133 | January 7, 2025 |
EOL
Mozilla Firefox 133 became EOL in 2025. |
| 132 | November 26, 2024 |
EOL
Mozilla Firefox 132 became EOL in 2024. |
| 131 | October 29, 2024 |
EOL
Mozilla Firefox 131 became EOL in 2024. |
| 130 | October 1, 2024 |
EOL
Mozilla Firefox 130 became EOL in 2024. |
| 129 | September 3, 2024 |
EOL
Mozilla Firefox 129 became EOL in 2024. |
By the Year
In 2026 there have been 72 vulnerabilities in Mozilla Firefox with an average score of 8.7 out of ten. Last year, in 2025 Firefox had 187 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Firefox in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.08.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 72 | 8.75 |
| 2025 | 187 | 7.67 |
| 2024 | 190 | 7.18 |
| 2023 | 180 | 7.38 |
| 2022 | 159 | 7.44 |
| 2021 | 123 | 7.13 |
| 2020 | 148 | 7.27 |
| 2019 | 121 | 7.44 |
| 2018 | 312 | 7.82 |
It may take a day or so for new Firefox vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Firefox Security Vulnerabilities
Memory Safety Bugs in Firefox 147 (CVE20262807)
CVE-2026-2807
9.8 - Critical
- February 24, 2026
Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Memory Corruption
Firefox Graphics Text Uninit Memory (CVE-2026-2806)
CVE-2026-2806
9.1 - Critical
- February 24, 2026
Uninitialized memory in the Graphics: Text component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Use of Uninitialized Variable
Invalid pointer DOM Core & HTML in Firefox <148
CVE-2026-2805
9.8 - Critical
- February 24, 2026
Invalid pointer in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Access of Uninitialized Pointer
Use-after-Free in Firefox WebAssembly JS Engine
CVE-2026-2804
5.4 - Medium
- February 24, 2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Firefox <148 Settings UI Component Info Disclosure & Mitigation Bypass
CVE-2026-2803
- February 24, 2026
Information disclosure, mitigation bypass in the Settings UI component. This vulnerability affects Firefox < 148.
Race Condition in Firefox JS GC Component
CVE-2026-2802
- February 24, 2026
Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148.
Firefox <148 WAsm Boundary Condition Vulnerability
CVE-2026-2801
7.5 - High
- February 24, 2026
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Improper Check for Unusual or Exceptional Conditions
Firefox Android WebAuthn Spoofing CVE
CVE-2026-2800
9.8 - Critical
- February 24, 2026
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Authentication Bypass by Spoofing
Firefox <148: UAF in DOM Core/HTML
CVE-2026-2799
8.8 - High
- February 24, 2026
Use-after-free in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Use-after-free (UAF) in Firefox DOM: Core & HTML (148)
CVE-2026-2798
- February 24, 2026
Use-after-free in the DOM: Core & HTML component. This vulnerability affects Firefox < 148.
Firefox JavaScript GC UAF (CVE20262797)
CVE-2026-2797
8.8 - High
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Firefox WebAssembly JIT Miscompilation CVE-2026-2796
CVE-2026-2796
9.8 - Critical
- February 24, 2026
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Object Type Confusion
Use-after-free in JS GC (Firefox <148)
CVE-2026-2795
8.8 - High
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Firefox Uninitialized Memory Info Disclosure (147)
CVE-2026-2794
- February 24, 2026
Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability affects Firefox < 148.
Firefox iOS <147.4 Desync Address Bar Attack (CVE-2026-2634)
CVE-2026-2634
9.8 - Critical
- February 24, 2026
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability affects Firefox for iOS < 147.4.
User Interface (UI) Misrepresentation of Critical Information
Memory Safety Bug in Firefox ESR <115.33/140.8; <148 for FF/Thunderbird
CVE-2026-2793
9.8 - Critical
- February 24, 2026
Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Memory Corruption
Memory Safety Bugs in Firefox 147 & ESR 140.7, Thunderbird 147 & ESR 140.7
CVE-2026-2792
9.8 - Critical
- February 24, 2026
Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Memory Corruption
Firefox <148 / ESR<140.8: Networking Cache Mitigation Bypass
CVE-2026-2791
9.8 - Critical
- February 24, 2026
Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Authentication Bypass Using an Alternate Path or Channel
Firefox Same-origin policy bypass in JAR component before 148/ESR 140.8
CVE-2026-2790
- February 24, 2026
Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Use-after-free in Graphics ImageLib of Firefox <148 (ESR <115.33/140.8)
CVE-2026-2789
8.8 - High
- February 24, 2026
Use-after-free in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <148 Boundary Condition Flaw in Audio/Video GMP
CVE-2026-2788
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
UAF in Firefox DOM Window/Location before v148
CVE-2026-2787
8.8 - High
- February 24, 2026
Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Use-after-free in Firefox JS Engine (before 148)
CVE-2026-2786
8.8 - High
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Firefox <148/ESR<140.8: Invalid Pointer in JS Engine
CVE-2026-2785
8.8 - High
- February 24, 2026
Invalid pointer in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Access of Uninitialized Pointer
Firefox <148 & ESR<140.8: DOM Mitigation Bypass in Security Component
CVE-2026-2784
9.8 - Critical
- February 24, 2026
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Authentication Bypass Using an Alternate Path or Channel
Firefox <=148 Info Disclosure via JIT Miscomp
CVE-2026-2783
- February 24, 2026
Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox Netmonitor Privilege Escalation (v<148/ESR<140.8)
CVE-2026-2782
8.8 - High
- February 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Improper Privilege Management
Firefox <148 ESR <140.8 Integer Overflow in NSS Libraries
CVE-2026-2781
- February 24, 2026
Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox Netmonitor PrivEsc pre-148 ESR<140.8
CVE-2026-2780
8.8 - High
- February 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Improper Privilege Management
Firefox sandbox escape via DOM boundary conditions <148
CVE-2026-2778
10 - Critical
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Firefox JAR Boundary Flaw (pre-148, ESR <140.8)
CVE-2026-2779
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Privilege Escalation in Firefox MessagingSystem <148 (ESR <115.33,140.8)
CVE-2026-2777
9.8 - Critical
- February 24, 2026
Privilege escalation in the Messaging System component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Improper Privilege Management
Sandbox escape CVE-2026-2776 in Firefox <148 via Telemetry boundary
CVE-2026-2776
10 - Critical
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Firefox HTMLParser Mitigation Bypass before v148 (ESR <115.33/140.8)
CVE-2026-2775
9.8 - Critical
- February 24, 2026
Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Authentication Bypass Using an Alternate Path or Channel
Firefox Audio/Video Component Integer Overflow (FF<148, ESR<115.33)
CVE-2026-2774
8.8 - High
- February 24, 2026
Integer overflow in the Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Integer Overflow or Wraparound
Firefox WebAudio Wrong boundary flaw before v148
CVE-2026-2773
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
UAF in Firefox <148 AV Playback component
CVE-2026-2772
8.8 - High
- February 24, 2026
Use-after-free in the Audio/Video: Playback component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <148 / ESR <115.33, <140.8 Undefined Behavior in DOM (CVE2026-2771)
CVE-2026-2771
- February 24, 2026
Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Use-after-free in Firefox DOM Bindings (WebIDL) < v148
CVE-2026-2770
8.8 - High
- February 24, 2026
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Use-after-free in Firefox IndexedDB before v148
CVE-2026-2769
8.8 - High
- February 24, 2026
Use-after-free in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <=148 IndexedDB sandbox escape
CVE-2026-2768
10 - Critical
- February 24, 2026
Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Protection Mechanism Failure
Use-After-Free in Firefox <148 & ESR <140.8 WebAssembly (Wasm)
CVE-2026-2767
- February 24, 2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Useafterfree in Firefox JavaScript Engine JIT <148/ESR 140.8
CVE-2026-2766
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Use-after-free in Firefox JS Engine (before 148, ESR<140.8)
CVE-2026-2765
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
UAF in Firefox JavaScript Engine < v148 & ESR 115.33
CVE-2026-2763
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <148 JIT Miscompilation UAF in JS Engine
CVE-2026-2764
9.8 - Critical
- February 24, 2026
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Integer Overflow in Firefox JS Std Lib <148 (ESR<140.8)
CVE-2026-2762
9.8 - Critical
- February 24, 2026
Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Integer Overflow or Wraparound
Firefox Sandbox Escape via WebRender (148, ESR 115.33)
CVE-2026-2761
10 - Critical
- February 24, 2026
Sandbox escape in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Protection Mechanism Failure
Firefox Sandbox Escape in WebRender before 148 / ESR 115.33 / 140.8
CVE-2026-2760
10 - Critical
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
1384
Firefox <148 UAF in JS GC
CVE-2026-2758
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Firefox or by Mozilla? Click the Watch button to subscribe.
