Vulnerabilities in Mozilla

1,863 results
Vexday analysis

Com 1.857 CVEs catalogadas e 189 classificadas como críticas, o histórico de vulnerabilidades da Mozilla reflete a complexidade de manter um navegador amplamente adotado. A taxa de exploração ativa — 9 entradas no CISA KEV, representando 0,48% do total — está em linha com a média geral do catálogo, o que indica um nível de exposição operacional compatível com o setor, sem desvio negativo expressivo. O tipo de falha mais recorrente é CWE-416 (use-after-free), uma classe de vulnerabilidade de memória com alto potencial de execução de código, e a CVE mais perigosa atualmente ativa, CVE-2016-9079, apresenta EPSS de 0,8792 — valor elevado que sugere probabilidade significativa de exploração continuada. Os 144 CVEs surgidos nos últimos 90 dias e a existência de 27 provas de conceito públicas reforçam a necessidade de monitoramento contínuo e priorização ágil de patches para ambientes que dependem de produtos Mozilla.

CVE-2025-4082MEDIUMWebGL shader attribute memory corruption in Thunderbird for macOSEPSS 0.4%CVE-2024-10004CRITICALOpening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in tEPSS 0.4%CVE-2026-8960HIGHSpoofing issue in WebExtensionsEPSS 0.4%CVE-2025-14333HIGHMemory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146EPSS 0.4%CVE-2025-8034HIGHMemory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141EPSS 0.4%CVE-2026-7323HIGHMemory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1EPSS 0.4%CVE-2025-6435HIGHSave as in Devtools could download files without sanitizing the extensionEPSS 0.4%CVE-2026-12305HIGHMemory safety bug fixed in Firefox 152EPSS 0.4%CVE-2025-1930HIGHAudioIPC StreamData could trigger a use-after-free in the Browser processEPSS 0.4%CVE-2026-8952HIGHPrivilege escalation in the Application Update componentEPSS 0.4%CVE-2022-1197MEDIUMWhen importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the keyEPSS 0.4%CVE-2023-0547MEDIUMOCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be acceEPSS 0.4%CVE-2026-8962HIGHMitigation bypass in the DOM: Security componentEPSS 0.4%CVE-2024-4774MEDIUMThe `ShmemCharMapHashEntry()` code was susceptible to potentially undefined behavior by bypassing the move semantics for one of its data memEPSS 0.4%CVE-2023-0430MEDIUMCertificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a revoked certificate would be displayEPSS 0.4%CVE-2024-6614MEDIUMIncorrect listing of stack framesEPSS 0.4%CVE-2022-22762MEDIUMUnder certain circumstances, a JavaScript alert (or prompt) could have been shown while another website was displayed underneath it. This coEPSS 0.4%CVE-2024-4769MEDIUMWhen importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and nEPSS 0.4%CVE-2026-8945HIGHSandbox escape in Firefox and Firefox Focus for AndroidEPSS 0.4%CVE-2022-45419MEDIUMIf the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certifiEPSS 0.4%