[UPDATE] [high] Mozilla Firefox, Firefox ESR and Thunderbird: Multiple vulnerabilities
An attacker can exploit multiple vulnerabilities in Mozilla Firefox, Mozilla Firefox ESR, and Mozilla Thunderbird to execute arbitrary code, gain elevated privileges, cause memory corruption, bypass security measures, escape the sandbox, disclose confidential information, manipulate data, and trigger denial-of-service conditions.
CSIRTS triage
- What
- Multiple vulnerabilities allow an attacker to execute arbitrary code and gain elevated privileges.
- Who is affected
- Deployments of Mozilla Firefox, Firefox ESR, and Thunderbird.
- Urgency
- Remediation is high urgency due to the potential for exploitation.
- Action
- Update to the latest version of Mozilla Firefox, Firefox ESR, and Thunderbird.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Firefox, Firefox ESR and Thunderbird
Get an email when a new Firefox, Firefox ESR and Thunderbird advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1959
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-122890.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-122900.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-122910.38% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 30% of all scored CVEs.
- Low exploitation riskCVE-2026-122920.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all scored CVEs.
- Low exploitation riskCVE-2026-122930.30% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 22% of all scored CVEs.
- Low exploitation riskCVE-2026-122940.36% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 28% of all scored CVEs.
- Low exploitation riskCVE-2026-122950.39% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 31% of all scored CVEs.
- Low exploitation riskCVE-2026-122960.39% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 31% of all scored CVEs.
- Low exploitation riskCVE-2026-122970.39% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 31% of all scored CVEs.
- Low exploitation riskCVE-2026-122980.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 22% of all scored CVEs.
Referenced CVEs
Recent advisories for Mozilla Firefox
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- high[UPDATE] [high] Mozilla Firefox and Thunderbird: Multiple vulnerabilitiescert-bund · 2026-07-09
- high[UPDATE] [high] Mozilla Firefox: Multiple vulnerabilitiescert-bund · 2026-07-09
- medium[NEW] [medium] Mozilla Firefox for iOS: Vulnerability allows display of false informationcert-bund · 2026-07-07
- unknownVulnerability in Mozilla Firefox for iOS (July 7, 2026)cert-fr-avis · 2026-07-07
- high[UPDATE] [high] Mozilla Firefox: Vulnerability allows code executioncert-bund · 2026-07-02
- unknownVulnerability in Mozilla Firefox (July 1, 2026)cert-fr-avis · 2026-07-01
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10