Mozilla Firefox Open source web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Firefox.
Recent Mozilla Firefox Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-02 | Security Vulnerabilities fixed in Firefox ESR 115.32 mfsa2026-02 | January 13, 2026 |
| mfsa2026-03 | Security Vulnerabilities fixed in Firefox ESR 140.7 mfsa2026-03 | January 13, 2026 |
| mfsa2026-01 | Security Vulnerabilities fixed in Firefox 147 mfsa2026-01 | January 13, 2026 |
| mfsa2025-98 | Security Vulnerabilities fixed in Firefox 146.0.1 mfsa2025-98 | December 18, 2025 |
| mfsa2025-97 | Security Vulnerabilities fixed in Firefox for iOS 144.0 mfsa2025-97 | December 15, 2025 |
| mfsa2025-94 | Security Vulnerabilities fixed in Firefox ESR 140.6 mfsa2025-94 | December 9, 2025 |
| mfsa2025-93 | Security Vulnerabilities fixed in Firefox ESR 115.31 mfsa2025-93 | December 9, 2025 |
| mfsa2025-92 | Security Vulnerabilities fixed in Firefox 146 mfsa2025-92 | December 9, 2025 |
| mfsa2025-89 | Security Vulnerabilities fixed in Firefox ESR 115.30 mfsa2025-89 | November 11, 2025 |
| mfsa2025-88 | Security Vulnerabilities fixed in Firefox ESR 140.5 mfsa2025-88 | November 11, 2025 |
Known Exploited Mozilla Firefox Vulnerabilities
The following Mozilla Firefox vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process. CVE-2024-9680 Exploit Probability: 24.6% |
October 15, 2024 |
| Mozilla Firefox Security Feature Bypass Vulnerability |
Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges. CVE-2015-4495 Exploit Probability: 71.6% |
May 25, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. CVE-2022-26486 Exploit Probability: 4.9% |
March 7, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. CVE-2022-26485 Exploit Probability: 7.1% |
March 7, 2022 |
| Mozilla Firefox Information Disclosure Vulnerability |
Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. CVE-2013-1675 Exploit Probability: 4.7% |
March 3, 2022 |
2 known exploited Mozilla Firefox vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Mozilla Firefox. Here are some end of life, and end of support dates for Mozilla Firefox.
| Release | EOL Date | Status |
|---|---|---|
| 146 | - |
Active
|
| 145 | December 9, 2025 |
EOL
Mozilla Firefox 145 became EOL in 2025. |
| 144 | November 11, 2025 |
EOL
Mozilla Firefox 144 became EOL in 2025. |
| 143 | October 14, 2025 |
EOL
Mozilla Firefox 143 became EOL in 2025. |
| 142 | September 16, 2025 |
EOL
Mozilla Firefox 142 became EOL in 2025. |
| 141 | August 19, 2025 |
EOL
Mozilla Firefox 141 became EOL in 2025. |
| 140 | September 16, 2026 |
EOL This Year
Mozilla Firefox 140 will become EOL this year, in September 2026. |
| 139 | June 24, 2025 |
EOL
Mozilla Firefox 139 became EOL in 2025. |
| 138 | May 27, 2025 |
EOL
Mozilla Firefox 138 became EOL in 2025. |
| 137 | April 29, 2025 |
EOL
Mozilla Firefox 137 became EOL in 2025. |
| 136 | April 1, 2025 |
EOL
Mozilla Firefox 136 became EOL in 2025. |
| 135 | March 4, 2025 |
EOL
Mozilla Firefox 135 became EOL in 2025. |
| 134 | February 4, 2025 |
EOL
Mozilla Firefox 134 became EOL in 2025. |
| 133 | January 7, 2025 |
EOL
Mozilla Firefox 133 became EOL in 2025. |
| 132 | November 26, 2024 |
EOL
Mozilla Firefox 132 became EOL in 2024. |
| 131 | October 29, 2024 |
EOL
Mozilla Firefox 131 became EOL in 2024. |
| 130 | October 1, 2024 |
EOL
Mozilla Firefox 130 became EOL in 2024. |
| 129 | September 3, 2024 |
EOL
Mozilla Firefox 129 became EOL in 2024. |
| 128 | September 16, 2025 |
EOL
Mozilla Firefox 128 became EOL in 2025. |
| 127 | July 9, 2024 |
EOL
Mozilla Firefox 127 became EOL in 2024. |
By the Year
In 2026 there have been 16 vulnerabilities in Mozilla Firefox with an average score of 7.6 out of ten. Last year, in 2025 Firefox had 187 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Firefox in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.15
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 16 | 7.55 |
| 2025 | 187 | 7.70 |
| 2024 | 190 | 7.18 |
| 2023 | 180 | 7.38 |
| 2022 | 159 | 7.44 |
| 2021 | 123 | 7.10 |
| 2020 | 132 | 7.36 |
| 2019 | 108 | 7.62 |
| 2018 | 131 | 8.07 |
It may take a day or so for new Firefox vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Firefox Security Vulnerabilities
Memory safety bugs present in Firefox 146 and Thunderbird 146
CVE-2026-0892
9.8 - Critical
- January 13, 2026
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Buffer Overflow
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
CVE-2026-0891
8.1 - High
- January 13, 2026
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component
CVE-2026-0890
5.4 - Medium
- January 13, 2026
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Authentication Bypass by Spoofing
Denial-of-service in the DOM: Service Workers component
CVE-2026-0889
7.5 - High
- January 13, 2026
Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Resource Exhaustion
Information disclosure in the XML component
CVE-2026-0888
5.3 - Medium
- January 13, 2026
Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Information Disclosure
Clickjacking issue, information disclosure in the PDF Viewer component
CVE-2026-0887
4.3 - Medium
- January 13, 2026
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Incorrect boundary conditions in the Graphics component
CVE-2026-0886
5.3 - Medium
- January 13, 2026
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Use-after-free in the JavaScript: GC component
CVE-2026-0885
6.5 - Medium
- January 13, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Use-after-free in the JavaScript Engine component
CVE-2026-0884
9.8 - Critical
- January 13, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Information disclosure in the Networking component
CVE-2026-0883
5.3 - Medium
- January 13, 2026
Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Information Disclosure
Use-after-free in the IPC component
CVE-2026-0882
8.8 - High
- January 13, 2026
Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Sandbox escape in the Messaging System component
CVE-2026-0881
10 - Critical
- January 13, 2026
Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Protection Mechanism Failure
Sandbox escape due to integer overflow in the Graphics component
CVE-2026-0880
8.8 - High
- January 13, 2026
Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Integer Overflow or Wraparound
Sandbox escape due to incorrect boundary conditions in the Graphics component
CVE-2026-0879
9.8 - Critical
- January 13, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
CVE-2026-0878
8 - High
- January 13, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Mitigation bypass in the DOM: Security component
CVE-2026-0877
8.1 - High
- January 13, 2026
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Protection Mechanism Failure
Memory safety bugs in Mozilla Firefox <146.0.1 (Arbitrary code exec)
CVE-2025-14861
8.8 - High
- December 18, 2025
Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1.
Buffer Overflow
Firefox UAF in Disability Access APIs (pre146.0.1)
CVE-2025-14860
9.8 - Critical
- December 18, 2025
Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 146.0.1.
Dangling pointer
Firefox iOS RTLO Spoof in Downloads UI <144.0
CVE-2025-14744
6.5 - Medium
- December 18, 2025
Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.
User Interface (UI) Misrepresentation of Critical Information
Firefox/Thunderbird Memory Corruption CVE-2025-14333 (ESR<140.6, <=145)
CVE-2025-14333
8.1 - High
- December 09, 2025
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Buffer Overflow
CVE-2025-14332: Memory Safety Bugs in Firefox 145 Enable Arbitrary Exec
CVE-2025-14332
7.3 - High
- December 09, 2025
Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146 and Thunderbird < 146.
Memory Corruption
Firefox Same-Origin Policy Bypass in Request Handler <146
CVE-2025-14331
6.5 - Medium
- December 09, 2025
Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Origin Validation Error
Firefox JIT Miscompilation in JavaScript Engine (<= 145, ESR < 140.6)
CVE-2025-14330
9.8 - Critical
- December 09, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Function Call With Incorrect Argument Type
Firefox Netmonitor PrivEsc <146, ESR<140.6
CVE-2025-14329
8.8 - High
- December 09, 2025
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Privilege Escalation in Netmonitor (Firefox <146 / ESR<140.6)
CVE-2025-14328
8.8 - High
- December 09, 2025
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
CVE-2025-14327: Spoofing in Firefox Downloads Panel (v <146)
CVE-2025-14327
7.5 - High
- December 09, 2025
Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7.
Authentication Bypass by Spoofing
UA-Firefox-GMP UAF CVE-2025-14326
CVE-2025-14326
9.8 - Critical
- December 09, 2025
Use-after-free in the Audio/Video: GMP component. This vulnerability affects Firefox < 146 and Thunderbird < 146.
Dangling pointer
Firefox JIT Miscompilation (JS) <146/ESR<140.6
CVE-2025-14325
7.3 - High
- December 09, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Object Type Confusion
Mozilla Firefox JIT Miscompilation (JS Engine) before v146, ESR <115.31/140.6
CVE-2025-14324
9.8 - Critical
- December 09, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Code Injection
Firefox <146 PrivEsc via DOM Notifications
CVE-2025-14323
8.8 - High
- December 09, 2025
Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Firefox Sandbox Escape via CanvasWebGL before v146 (ESR <115.31,140.6)
CVE-2025-14322
8 - High
- December 09, 2025
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Improper Check for Unusual or Exceptional Conditions
Use-after-free in WebRTC Signaling: Firefox <146, ESR <140.6
CVE-2025-14321
9.8 - Critical
- December 09, 2025
Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Dangling pointer
Mozilla Firefox memory corruption bug (CVE-2025-13027)
CVE-2025-13027
8.1 - High
- November 11, 2025
Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Buffer Overflow
Firefox WebRTC Audio/Video UAF CVE-2025-13020 (<=145, ESR<140.5)
CVE-2025-13020
8.8 - High
- November 11, 2025
Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Dangling pointer
Firefox Workers DOM Same-origin policy bypass before 145
CVE-2025-13019
8.1 - High
- November 11, 2025
Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Permissive Cross-domain Policy with Untrusted Domains
Firefox WebGPU Sandbox Escape via Boundary Check Flaw
CVE-2025-13026
9.8 - Critical
- November 11, 2025
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Firefox <145, ESR<140.5: DOM Mitigation Bypass in Security Component
CVE-2025-13018
8.1 - High
- November 11, 2025
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Authentication Bypass Using an Alternate Path or Channel
Same-Origin Policy Bypass in Firefox Notifications <145
CVE-2025-13017
8.1 - High
- November 11, 2025
Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Permissive Cross-domain Policy with Untrusted Domains
Firefox WebGPU Incorrect Boundary Conditions (CVE-2025-13025)
CVE-2025-13025
7.5 - High
- November 11, 2025
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Incorrect Default Permissions
Firefox JIT miscompilation (CVE-2025-13024)
CVE-2025-13024
9.8 - Critical
- November 11, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Compiler Optimization Removal or Modification of Security-critical Code
Firefox WebGPU Sandbox Escape via Boundary Check Failure
CVE-2025-13023
9.8 - Critical
- November 11, 2025
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Firefox WebGPU Boundary Condition Exploit CVE-2025-13022
CVE-2025-13022
9.8 - Critical
- November 11, 2025
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Incorrect boundary conditions in Firefox WebAssembly before v145 / ESR140.5
CVE-2025-13016
7.5 - High
- November 11, 2025
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Improper Check or Handling of Exceptional Conditions
Firefox Spoofing Vulnerability (145, ESR140.5/115.30)
CVE-2025-13015
3.4 - Low
- November 11, 2025
Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Authentication Bypass by Spoofing
Firefox WebGPU Boundary Condition Failure (CVE-2025-13021)
CVE-2025-13021
9.8 - Critical
- November 11, 2025
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Firefox DOM Mitigation Bypass v<145/ESR<140.5
CVE-2025-13013
6.1 - Medium
- November 11, 2025
Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Authentication Bypass Using an Alternate Path or Channel
UAF in Firefox AV before 145 (ESR <140.5/115.30)
CVE-2025-13014
8.8 - High
- November 11, 2025
Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Dangling pointer
Firefox Graphics Race Condition <v145 (ESR<140.5/115.30)
CVE-2025-13012
7.5 - High
- November 11, 2025
Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Race Condition
Firefox <144.0.2: Use-after-Free in WebGPU IPC Allows Sandbox Escape
CVE-2025-12380
9.8 - Critical
- October 28, 2025
Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability affects Firefox < 144.0.2.
Dangling pointer
Firefox Android Custom Tab UI Subdomain Disclosure (CVE202511720)
CVE-2025-11720
8.1 - High
- October 14, 2025
The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability affects Firefox < 144.
User Interface (UI) Misrepresentation of Critical Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Firefox or by Mozilla? Click the Watch button to subscribe.
