Mozilla Firefox Open source web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Firefox.
Recent Mozilla Firefox Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-37 | Security Vulnerabilities fixed in Firefox ESR 115.35.1 mfsa2026-37 | April 28, 2026 |
| mfsa2026-35 | Security Vulnerabilities fixed in Firefox 150.0.1 mfsa2026-35 | April 28, 2026 |
| mfsa2026-36 | Security Vulnerabilities fixed in Firefox ESR 140.10.1 mfsa2026-36 | April 28, 2026 |
| mfsa2026-31 | Security Vulnerabilities fixed in Firefox ESR 115.35 mfsa2026-31 | April 21, 2026 |
| mfsa2026-32 | Security Vulnerabilities fixed in Firefox ESR 140.10 mfsa2026-32 | April 21, 2026 |
| mfsa2026-30 | Security Vulnerabilities fixed in Firefox 150 mfsa2026-30 | April 21, 2026 |
| mfsa2026-26 | Security Vulnerabilities fixed in Firefox ESR 115.34.1 mfsa2026-26 | April 7, 2026 |
| mfsa2026-27 | Security Vulnerabilities fixed in Firefox ESR 140.9.1 mfsa2026-27 | April 7, 2026 |
| mfsa2026-25 | Security Vulnerabilities fixed in Firefox 149.0.2 mfsa2026-25 | April 7, 2026 |
| mfsa2026-20 | Security Vulnerabilities fixed in Firefox 149 mfsa2026-20 | March 24, 2026 |
Known Exploited Mozilla Firefox Vulnerabilities
The following Mozilla Firefox vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process. CVE-2024-9680 Exploit Probability: 30.8% |
October 15, 2024 |
| Mozilla Firefox Security Feature Bypass Vulnerability |
Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges. CVE-2015-4495 Exploit Probability: 71.6% |
May 25, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. CVE-2022-26486 Exploit Probability: 5.5% |
March 7, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. CVE-2022-26485 Exploit Probability: 7.2% |
March 7, 2022 |
| Mozilla Firefox Information Disclosure Vulnerability |
Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. CVE-2013-1675 Exploit Probability: 7.9% |
March 3, 2022 |
2 known exploited Mozilla Firefox vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Mozilla Firefox. Here are some end of life, and end of support dates for Mozilla Firefox.
| Release | EOL Date | Status |
|---|---|---|
| 150 | - |
Active
|
| 149 | April 21, 2026 |
EOL
Mozilla Firefox 149 became EOL in 2026. |
| 148 | March 24, 2026 |
EOL
Mozilla Firefox 148 became EOL in 2026. |
| 147 | February 24, 2026 |
EOL
Mozilla Firefox 147 became EOL in 2026. |
| 146 | January 13, 2026 |
EOL
Mozilla Firefox 146 became EOL in 2026. |
| 145 | December 9, 2025 |
EOL
Mozilla Firefox 145 became EOL in 2025. |
| 144 | November 11, 2025 |
EOL
Mozilla Firefox 144 became EOL in 2025. |
| 143 | October 14, 2025 |
EOL
Mozilla Firefox 143 became EOL in 2025. |
| 142 | September 16, 2025 |
EOL
Mozilla Firefox 142 became EOL in 2025. |
| 141 | August 19, 2025 |
EOL
Mozilla Firefox 141 became EOL in 2025. |
| 140 | September 16, 2026 |
EOL This Year
Mozilla Firefox 140 will become EOL this year, in September 2026. |
| 139 | June 24, 2025 |
EOL
Mozilla Firefox 139 became EOL in 2025. |
| 138 | May 27, 2025 |
EOL
Mozilla Firefox 138 became EOL in 2025. |
| 137 | April 29, 2025 |
EOL
Mozilla Firefox 137 became EOL in 2025. |
| 136 | April 1, 2025 |
EOL
Mozilla Firefox 136 became EOL in 2025. |
| 135 | March 4, 2025 |
EOL
Mozilla Firefox 135 became EOL in 2025. |
| 134 | February 4, 2025 |
EOL
Mozilla Firefox 134 became EOL in 2025. |
| 133 | January 7, 2025 |
EOL
Mozilla Firefox 133 became EOL in 2025. |
| 132 | November 26, 2024 |
EOL
Mozilla Firefox 132 became EOL in 2024. |
| 131 | October 29, 2024 |
EOL
Mozilla Firefox 131 became EOL in 2024. |
By the Year
In 2026 there have been 171 vulnerabilities in Mozilla Firefox with an average score of 8.3 out of ten. Last year, in 2025 Firefox had 189 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Firefox in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.72.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 171 | 8.26 |
| 2025 | 189 | 7.54 |
| 2024 | 190 | 7.18 |
| 2023 | 180 | 7.38 |
| 2022 | 159 | 7.44 |
| 2021 | 123 | 7.13 |
| 2020 | 148 | 7.27 |
| 2019 | 121 | 7.44 |
| 2018 | 312 | 7.82 |
It may take a day or so for new Firefox vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Firefox Security Vulnerabilities
Firefox Sandbox Escape in WebRTC Networking before ESR 140.10.1
CVE-2026-7321
9.6 - Critical
- April 28, 2026
Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
Classic Buffer Overflow
Memory safety bugs in Firefox 150.0.0 (fixed 150.0.1)
CVE-2026-7324
7.3 - High
- April 28, 2026
Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.
Buffer Overflow
Memory Safety Bug in Firefox ESR 140.10.0 & Thunderbird 140.10.0
CVE-2026-7323
7.3 - High
- April 28, 2026
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Buffer Overflow
Memory safety bugs in Firefox ESR 115.35.0/140.10.0 & 150.0.0 (fixed 150.0.1)
CVE-2026-7322
7.3 - High
- April 28, 2026
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Buffer Overflow
Firefox Audio/Video Boundary Bug Info Disclosure (fixed in 150.0.1)
CVE-2026-7320
7.5 - High
- April 28, 2026
Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Buffer Overflow
Firefox 149 / ESR 140.9 Memory Safety Bugs (Arbitrary Code Exec)
CVE-2026-6786
8.1 - High
- April 21, 2026
Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Dangling pointer
Mozilla Firefox Memory Safety Bug (ESR 115.34, 115.35, ESR 140.9/140.10, 149)
CVE-2026-6785
8.1 - High
- April 21, 2026
Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Out-of-bounds Read
Memory Safety Bugs in Firefox 149 & Thunderbird 149
CVE-2026-6784
7.5 - High
- April 21, 2026
Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Out-of-bounds Read
Firefox 150 AV Playback CVE20266783 Integer Overflow
CVE-2026-6783
5.3 - Medium
- April 21, 2026
Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Integer Overflow or Wraparound
Info Disclosure via Firefox IP Protection Component
CVE-2026-6782
7.5 - High
- April 21, 2026
Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Information Disclosure
DoS in Firefox AV Playback Component (CVE-2026-6781)
CVE-2026-6781
7.5 - High
- April 21, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Resource Exhaustion
Mozilla Firefox JS Engine CVE-2026-6779 (Other issue)
CVE-2026-6779
5.3 - Medium
- April 21, 2026
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Buffer Overflow
Firefox A/V Playback DoS Vulnerability
CVE-2026-6780
7.5 - High
- April 21, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Resource Exhaustion
Firefox 150 - Invalid Pointer in Audio/Video Playback
CVE-2026-6778
5.3 - Medium
- April 21, 2026
Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Access of Uninitialized Pointer
CVE-2026-6777: Firefox DNS Component Vulnerability
CVE-2026-6777
5.3 - Medium
- April 21, 2026
Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Improper Input Validation
Firefox <150 WebRTC Networking boundary condition flaw (CVE-2026-6776)
CVE-2026-6776
7.8 - High
- April 21, 2026
Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Buffer Overflow
Firefox WebRTC Improper Boundary Check (CVE-2026-6775)
CVE-2026-6775
5.3 - Medium
- April 21, 2026
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Buffer Overflow
DOM Mitigation Bypass in Firefox Security Component
CVE-2026-6774
5.4 - Medium
- April 21, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Protection Mechanism Failure
Firefox WebGPU Integer Overflow DoS
CVE-2026-6773
7.5 - High
- April 21, 2026
Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Integer Overflow or Wraparound
Firefox NSS Libraries Boundary Cond. before 150
CVE-2026-6772
7.5 - High
- April 21, 2026
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Improper Check for Unusual or Exceptional Conditions
Firefox 150 DOM Mitigation Bypass in Security Component
CVE-2026-6771
9.8 - Critical
- April 21, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Authentication Bypass Using an Alternate Path or Channel
IndexedDB flaw in Firefox <=150 (ESR 140.10)
CVE-2026-6770
6.5 - Medium
- April 21, 2026
Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Information Disclosure
Priv Escalation in Firefox Debugger (before 150)
CVE-2026-6769
8.8 - High
- April 21, 2026
Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Improper Privilege Management
CVE-2026-6768: Mitigation Bypass in Firefox Cookies Handling
CVE-2026-6768
9.8 - Critical
- April 21, 2026
Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Authentication Bypass Using an Alternate Path or Channel
Firefox NSS boundary overflow (before 150/140.10)
CVE-2026-6766
7.5 - High
- April 21, 2026
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Improper Check for Unusual or Exceptional Conditions
NSS Lib Other Issue (Fixed in Firefox 150/ESR 115.35)
CVE-2026-6767
5.3 - Medium
- April 21, 2026
Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Buffer Overflow
Firefox Autofill Info Disclosure before 150
CVE-2026-6765
5.3 - Medium
- April 21, 2026
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Privacy violation
Firefox DOM Boundary Condition Flaw in Device Interfaces (fixed in v150)
CVE-2026-6764
6.5 - Medium
- April 21, 2026
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Buffer Overflow
Firefox File Handling Mitigation Bypass (Before 150/ESR 140.10)
CVE-2026-6763
6.5 - Medium
- April 21, 2026
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Protection Mechanism Failure
Firefox DOM Spoofing Vulnerability (pre-150) Core & HTML
CVE-2026-6762
6.3 - Medium
- April 21, 2026
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Authentication Bypass by Spoofing
Firefox 150 PrivEsc via Networking Component
CVE-2026-6761
8.8 - High
- April 21, 2026
Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Improper Privilege Management
Firefox Networking Cookies Mitigation Bypass CVE-2026-6760
CVE-2026-6760
9.8 - Critical
- April 21, 2026
Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Authentication Bypass Using an Alternate Path or Channel
Use-after-free in Firefox Widget Cocoa (150)
CVE-2026-6759
7.5 - High
- April 21, 2026
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Dangling pointer
Use-after-free: WebAssembly Component in Firefox
CVE-2026-6758
7.5 - High
- April 21, 2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Dangling pointer
Firefox WebAsm Null Pointer Bug Before v150 (CVE-2026-6757)
CVE-2026-6757
6.3 - Medium
- April 21, 2026
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Access of Uninitialized Pointer
Firefox for Android Mitigation Bypass
CVE-2026-6756
7.5 - High
- April 21, 2026
Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.
Information Disclosure
Mozilla Firefox postMessage DOM Mitigation Bypass (CVE20266755)
CVE-2026-6755
6.5 - Medium
- April 21, 2026
Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Session Riding
UAF in JavaScript Engine, fixed in Firefox 150/ESR 115.35/140.10
CVE-2026-6754
7.5 - High
- April 21, 2026
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Dangling pointer
Firefox WebRTC Boundary Condition Vulnerability (fixed in 150/ESR 140.10)
CVE-2026-6753
7.3 - High
- April 21, 2026
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Buffer Overflow
Firefox WebRTC Boundary Condition Flaw (before v150 / ESR 115.35)
CVE-2026-6752
7.3 - High
- April 21, 2026
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Buffer Overflow
Pre-150 Firefox Web Codecs Uninitialized Memory Vulnerability
CVE-2026-6751
7.3 - High
- April 21, 2026
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Use of Uninitialized Variable
Firefox PrivEsc via Graphics:WebRender before 150
CVE-2026-6750
8.8 - High
- April 21, 2026
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Improper Privilege Management
Firefox Canvas2D Info Disclosure via Uninit Mem, Fixed 150/ESR115.35
CVE-2026-6749
7.5 - High
- April 21, 2026
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Use of Uninitialized Resource
Web Codecs Uninitialized Mem in Firefox <150 (Fixed 150)
CVE-2026-6748
9.8 - Critical
- April 21, 2026
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Use of Uninitialized Variable
Firefox <150 WebRTC Use-after-free Vulnerability
CVE-2026-6747
7.5 - High
- April 21, 2026
Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Dangling pointer
Use-after-free in Firefox Core&HTML before v150
CVE-2026-6746
7.5 - High
- April 21, 2026
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Dangling pointer
Memory safety bug in Firefox <149.0.2 & Thunderbird 149.0.1
CVE-2026-5735
8.1 - High
- April 07, 2026
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
Memory corruption in Firefox <149.0.2 & ESR <140.9.1
CVE-2026-5734
8.1 - High
- April 07, 2026
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Classic Buffer Overflow
Firefox <149.0.2 WebGPU Boundary Conditions CVE-2026-5733
CVE-2026-5733
8.8 - High
- April 07, 2026
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
Buffer Overflow
Integer Overflow in Firefox Graphics: Text Component (149.0.2 / ESR 140.9.1)
CVE-2026-5732
8.8 - High
- April 07, 2026
Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Integer Overflow or Wraparound
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Firefox or by Mozilla? Click the Watch button to subscribe.
