[UPDATE] [high] Mozilla Firefox and Thunderbird: Multiple vulnerabilities
A remote, anonymous attacker can exploit multiple vulnerabilities in Mozilla Firefox, Mozilla Firefox ESR, and Mozilla Thunderbird to execute arbitrary code, disclose information, bypass security restrictions (e.g., sandbox escape), deceive the user, escalate permissions, or cause a Denial-of-Service condition.
CSIRTS triage
- What
- Multiple vulnerabilities can be exploited to execute arbitrary code, disclose information, bypass security restrictions, escalate permissions, or cause a Denial-of-Service condition.
- Who is affected
- Users of Mozilla Firefox, Firefox ESR, and Thunderbird are affected.
- Urgency
- Remediation is urgent due to the high severity and potential for exploitation.
- Action
- Update to the latest version of Mozilla Firefox or Thunderbird.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Firefox
Get an email when a new Firefox advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1606
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-83880.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
- Low exploitation riskCVE-2026-83910.30% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 22% of all scored CVEs.
- Low exploitation riskCVE-2026-84010.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
- Low exploitation riskCVE-2026-87060.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 9% of all scored CVEs.
- Low exploitation riskCVE-2026-89450.37% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 29% of all scored CVEs.
- Low exploitation riskCVE-2026-89460.56% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 43% of all scored CVEs.
- Low exploitation riskCVE-2026-89470.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-89480.42% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 34% of all scored CVEs.
- Low exploitation riskCVE-2026-89490.58% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 44% of all scored CVEs.
- Low exploitation riskCVE-2026-89500.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 9% of all scored CVEs.
Referenced CVEs
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for Mozilla Firefox and Thunderbird
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- high[UPDATE] [high] Mozilla Firefox, Firefox ESR and Thunderbird: Multiple vulnerabilitiescert-bund · 2026-07-10
- criticalexploitedCVE-2016-9079: Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerabilitycisa-kev · 2023-06-22
- criticalexploitedCVE-2019-11708: Mozilla Firefox and Thunderbird Sandbox Escape Vulnerabilitycisa-kev · 2022-05-23
- criticalexploitedCVE-2019-11707: Mozilla Firefox and Thunderbird Type Confusion Vulnerabilitycisa-kev · 2022-05-23
- criticalexploitedCVE-2013-1690: Mozilla Firefox and Thunderbird Denial-of-Service Vulnerabilitycisa-kev · 2022-03-28
- criticalexploitedCVE-2020-6819: Mozilla Firefox And Thunderbird Use-After-Free Vulnerabilitycisa-kev · 2021-11-03
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10