Vulnerabilities in Mozilla

1,863 results
Vexday analysis

Com 1.857 CVEs catalogadas e 189 classificadas como críticas, o histórico de vulnerabilidades da Mozilla reflete a complexidade de manter um navegador amplamente adotado. A taxa de exploração ativa — 9 entradas no CISA KEV, representando 0,48% do total — está em linha com a média geral do catálogo, o que indica um nível de exposição operacional compatível com o setor, sem desvio negativo expressivo. O tipo de falha mais recorrente é CWE-416 (use-after-free), uma classe de vulnerabilidade de memória com alto potencial de execução de código, e a CVE mais perigosa atualmente ativa, CVE-2016-9079, apresenta EPSS de 0,8792 — valor elevado que sugere probabilidade significativa de exploração continuada. Os 144 CVEs surgidos nos últimos 90 dias e a existência de 27 provas de conceito públicas reforçam a necessidade de monitoramento contínuo e priorização ágil de patches para ambientes que dependem de produtos Mozilla.

CVE-2026-6750HIGHPrivilege escalation in the Graphics: WebRender componentEPSS 0.5%CVE-2026-2771CRITICALUndefined behavior in the DOM: Core & HTML componentEPSS 0.5%CVE-2026-2778CRITICALSandbox escape due to incorrect boundary conditions in the DOM: Core & HTML componentEPSS 0.5%CVE-2026-4691CRITICALUse-after-free in the CSS Parsing and Computation componentEPSS 0.5%CVE-2021-23980MEDIUMA mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscripEPSS 0.5%CVE-2024-9400HIGHA potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during EPSS 0.5%CVE-2025-14324CRITICALJIT miscompilation in the JavaScript Engine: JIT componentEPSS 0.5%CVE-2021-23992Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted versionEPSS 0.5%CVE-2023-3482When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a soEPSS 0.5%CVE-2024-7518MEDIUMSelect options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vEPSS 0.5%CVE-2024-1555HIGHWhen opening a website using the `firefox://` protocol handler, SameSite cookies were not properly respected. This vulnerability affects FirEPSS 0.5%CVE-2026-2758CRITICALUse-after-free in the JavaScript: GC componentEPSS 0.5%CVE-2020-15682When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An aEPSS 0.5%CVE-2026-12328HIGHMemory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152EPSS 0.5%CVE-2026-4702CRITICALJIT miscompilation in the JavaScript Engine componentEPSS 0.5%CVE-2024-1556MEDIUMThe incorrect object was checked for NULL in the built-in profiler, potentially leading to invalid memory access and undefined behavior. *NoEPSS 0.5%CVE-2025-8028CRITICALLarge branch table could lead to truncated instructionEPSS 0.5%CVE-2024-5694HIGHAn attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. This vuEPSS 0.5%CVE-2024-11706MEDIUMA null pointer dereference may have inadvertently occurred in `pk12util`, and specifically in the `SEC_ASN1DecodeItem_Util` function, when hEPSS 0.5%CVE-2026-2765CRITICALUse-after-free in the JavaScript Engine componentEPSS 0.5%