Firefox for Android
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2800 | Cri | 0.64 | 9.8 | 0.00 | Feb 24, 2026 | Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||
| CVE-2025-8042 | Cri | 0.64 | 9.8 | 0.00 | Aug 19, 2025 | Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141. | ||
| CVE-2026-2794 | Hig | 0.49 | 7.5 | 0.00 | Feb 24, 2026 | Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148. | ||
| CVE-2025-10535 | Hig | 0.49 | 7.5 | 0.00 | Sep 16, 2025 | Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143. | ||
| CVE-2026-8951 | Med | 0.42 | 6.5 | 0.00 | May 19, 2026 | Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151. | ||
| CVE-2025-10530 | Med | 0.42 | 6.5 | 0.00 | Sep 16, 2025 | Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 143 and Thunderbird 143. | ||
| CVE-2025-6431 | Med | 0.42 | 6.5 | 0.00 | Jun 24, 2025 | When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140. | ||
| CVE-2025-8041 | Med | 0.34 | 5.3 | 0.00 | Aug 19, 2025 | In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability was fixed in Firefox 141. | ||
| CVE-2025-6428 | Med | 0.28 | 4.3 | 0.00 | Jun 24, 2025 | When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140. |
- risk 0.64cvss 9.8epss 0.00
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
- risk 0.64cvss 9.8epss 0.00
Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
- risk 0.49cvss 7.5epss 0.00
Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.
- risk 0.49cvss 7.5epss 0.00
Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.
- risk 0.42cvss 6.5epss 0.00
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
- risk 0.42cvss 6.5epss 0.00
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 143 and Thunderbird 143.
- risk 0.42cvss 6.5epss 0.00
When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140.
- risk 0.34cvss 5.3epss 0.00
In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability was fixed in Firefox 141.
- risk 0.28cvss 4.3epss 0.00
When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140.