VYPR

Firefox

by Mozilla Corporation

Source repositories

CVEs (3,179)

  • CVE-2026-2032MedFeb 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability was fixed in Firefox for iOS 147.2.1.

  • CVE-2026-0887MedJan 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-8364MedAug 19, 2025
    risk 0.28cvss 4.3epss 0.00

    A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.

  • CVE-2025-6434MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140…

  • CVE-2025-6428MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was…

  • CVE-2025-5266MedMay 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-5263MedMay 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-5020MedMay 21, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.

  • CVE-2025-27425MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2025-27424MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page. This vulnerability was fixed in Firefox for iOS 136.

  • CVE-2025-1935MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

  • CVE-2025-1019MedFeb 4, 2025
    risk 0.28cvss 4.3epss 0.00

    The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

  • CVE-2025-23108MedJan 11, 2025
    risk 0.28cvss 4.3epss 0.00

    Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability was fixed in Firefox for iOS 134.

  • CVE-2024-11701MedNov 26, 2024
    risk 0.28cvss 4.3epss 0.00

    The incorrect domain may have been displayed in the address bar during an interrupted navigation attempt. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133 and Thunderbird < 133.

  • CVE-2024-11692MedNov 26, 2024
    risk 0.28cvss 4.3epss 0.00

    An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

  • CVE-2024-6614MedJul 9, 2024
    risk 0.28cvss 4.3epss 0.00

    The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128 and Thunderbird < 128.

  • CVE-2024-6610MedJul 9, 2024
    risk 0.28cvss 4.3epss 0.00

    Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128 and Thunderbird < 128.

  • CVE-2024-6608MedJul 9, 2024
    risk 0.28cvss 4.3epss 0.00

    It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128.

  • CVE-2024-5697MedJun 11, 2024
    risk 0.28cvss 4.3epss 0.00

    A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. This vulnerability affects Firefox < 127.

  • CVE-2024-5690MedJun 11, 2024
    risk 0.28cvss 4.3epss 0.01

    By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

Page 89 of 159