Vulnerabilities in Mozilla

1,863 results
Vexday analysis

Com 1.857 CVEs catalogadas e 189 classificadas como críticas, o histórico de vulnerabilidades da Mozilla reflete a complexidade de manter um navegador amplamente adotado. A taxa de exploração ativa — 9 entradas no CISA KEV, representando 0,48% do total — está em linha com a média geral do catálogo, o que indica um nível de exposição operacional compatível com o setor, sem desvio negativo expressivo. O tipo de falha mais recorrente é CWE-416 (use-after-free), uma classe de vulnerabilidade de memória com alto potencial de execução de código, e a CVE mais perigosa atualmente ativa, CVE-2016-9079, apresenta EPSS de 0,8792 — valor elevado que sugere probabilidade significativa de exploração continuada. Os 144 CVEs surgidos nos últimos 90 dias e a existência de 27 provas de conceito públicas reforçam a necessidade de monitoramento contínuo e priorização ágil de patches para ambientes que dependem de produtos Mozilla.

CVE-2026-4371HIGHOut of bounds read in IMAP parsingEPSS 0.4%CVE-2026-2781HIGHInteger overflow in the Libraries component in NSSEPSS 0.4%CVE-2024-7530CRITICALIncorrect garbage collection interaction could have led to a use-after-free. This vulnerability affects Firefox < 129.EPSS 0.4%CVE-2024-9397MEDIUMA missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjackingEPSS 0.4%CVE-2023-1521HIGHLocal Privilege Escalation in sccacheEPSS 0.4%CVE-2018-12385A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profileEPSS 0.4%CVE-2025-5262HIGHA double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This couEPSS 0.4%CVE-2024-3853HIGHA use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage collection started. This vulnerabEPSS 0.4%CVE-2024-6605HIGHFirefox Android missed activation delay to prevent tapjackingEPSS 0.4%CVE-2022-29910MEDIUMWhen closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.<br>*Note: This issue only afEPSS 0.4%CVE-2023-2142MEDIUMNunjucks autoescape bypass leads to cross site scriptingEPSS 0.4%CVE-2023-4104MEDIUMAn invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitraEPSS 0.4%CVE-2020-15657Firefox could be made to load attacker-supplied DLL files from the installation directory. This required an attacker that is already capableEPSS 0.4%CVE-2026-4684HIGHRace condition, use-after-free in the Graphics: WebRender componentEPSS 0.4%CVE-2025-8027MEDIUMJavaScript engine only wrote partial return value to stackEPSS 0.4%CVE-2025-8033MEDIUMIncorrect JavaScript state machine for generatorsEPSS 0.4%CVE-2025-9182HIGHDenial-of-service due to out-of-memory in the Graphics: WebRender componentEPSS 0.4%CVE-2026-5732HIGHIncorrect boundary conditions, integer overflow in the Graphics: Text componentEPSS 0.4%CVE-2025-3032HIGHLeaking file descriptors from the fork serverEPSS 0.3%CVE-2023-25748MEDIUMBy displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion orEPSS 0.3%