Vulnerabilities in Mozilla

1,863 results
Vexday analysis

Com 1.857 CVEs catalogadas e 189 classificadas como críticas, o histórico de vulnerabilidades da Mozilla reflete a complexidade de manter um navegador amplamente adotado. A taxa de exploração ativa — 9 entradas no CISA KEV, representando 0,48% do total — está em linha com a média geral do catálogo, o que indica um nível de exposição operacional compatível com o setor, sem desvio negativo expressivo. O tipo de falha mais recorrente é CWE-416 (use-after-free), uma classe de vulnerabilidade de memória com alto potencial de execução de código, e a CVE mais perigosa atualmente ativa, CVE-2016-9079, apresenta EPSS de 0,8792 — valor elevado que sugere probabilidade significativa de exploração continuada. Os 144 CVEs surgidos nos últimos 90 dias e a existência de 27 provas de conceito públicas reforçam a necessidade de monitoramento contínuo e priorização ágil de patches para ambientes que dependem de produtos Mozilla.

CVE-2018-12397A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websitEPSS 0.4%CVE-2024-0748MEDIUMA compromised content process could have updated the document URI. This could have allowed an attacker to set an arbitrary URI in the addresEPSS 0.4%CVE-2025-8043CRITICALIncorrect URL truncationEPSS 0.4%CVE-2025-54145CRITICALScanning a malicious URL utilizing Firefox's open-text scheme with the QR code scanner could load arbitrary websitesEPSS 0.4%CVE-2024-8386MEDIUMIf a site had been granted the permission to open popup windows, it could cause Select elements to appear on top of another site to perform EPSS 0.4%CVE-2026-2777CRITICALPrivilege escalation in the Messaging System componentEPSS 0.4%CVE-2022-34469HIGHWhen a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificatEPSS 0.4%CVE-2026-2785HIGHInvalid pointer in the JavaScript Engine componentEPSS 0.4%CVE-2026-2768CRITICALSandbox escape in the Storage: IndexedDB componentEPSS 0.4%CVE-2024-3862MEDIUMThe MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. ThEPSS 0.4%CVE-2022-22758HIGHWhen clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. On certain phoEPSS 0.4%CVE-2022-34473MEDIUMThe HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG <code>&lt;use&gt;</code> tags; however it incorrectly did noEPSS 0.4%CVE-2026-12294CRITICALSandbox escape in the DOM: Workers componentEPSS 0.4%CVE-2026-6759HIGHUse-after-free in the Widget: Cocoa componentEPSS 0.4%CVE-2025-3909HIGHJavaScript Execution via Spoofed PDF Attachment and file:/// LinkEPSS 0.4%CVE-2017-5409The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callbaEPSS 0.4%CVE-2022-38472MEDIUMAn attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the adEPSS 0.4%CVE-2023-4580Push notifications saved to disk unencryptedEPSS 0.4%CVE-2025-1014HIGHCertificate length was not properly checkedEPSS 0.4%CVE-2026-0885MEDIUMUse-after-free in the JavaScript: GC componentEPSS 0.4%