CVE List – Find High-Risk & Exploited Vulnerabilities

Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.

Assigner (CNA / source):[email protected] Remove this filter

Showing 2140 of 2562 results
«« First « Prev Page 2 / 129 Next »
CVE Description Max CVSS EPSS % Published Updated
CVE-2024-12224 Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. 5.1 0.15% 2025-05-29 2026-06-17
CVE-2025-3033 After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. *This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137. 7.7 0.15% 2025-04-01 2026-06-17
CVE-2026-6774 Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. 5.4 0.15% 2026-04-21 2026-06-17
CVE-2025-4088 A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138. 6.5 0.15% 2025-04-29 2026-06-17
CVE-2025-10536 Information disclosure in the Networking: Cache component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3. 6.2 0.15% 2025-09-16 2026-06-17
CVE-2025-55033 Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks. This vulnerability was fixed in Focus for iOS 142. 6.1 0.15% 2025-08-19 2026-06-17
CVE-2026-15718 We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw. This vulnerability was fixed in Firefox 152.0.6. 4.3 0.16% 2026-07-14 2026-07-14
CVE-2025-4089 Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 138 and Thunderbird 138. 5.1 0.16% 2025-04-29 2026-06-17
CVE-2025-14331 Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. 6.5 0.16% 2025-12-09 2026-06-17
CVE-2026-9309 Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2. 5.4 0.16% 2026-06-01 2026-06-17
CVE-2026-9308 Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2. 5.4 0.16% 2026-06-01 2026-06-17
CVE-2026-6762 Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. 6.3 0.16% 2026-04-21 2026-06-17
CVE-2022-22757 Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97. 6.5 0.16% 2022-12-22 2026-06-17
CVE-2026-12321 JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. 5.4 0.16% 2026-06-16 2026-06-17
CVE-2026-0818 When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, 4.3 0.16% 2026-01-28 2026-06-17
CVE-2022-36315 When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103. 4.3 0.16% 2022-12-22 2026-06-17
CVE-2026-6777 Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. 5.3 0.16% 2026-04-21 2026-06-17
CVE-2026-12330 Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12. 5.4 0.16% 2026-06-16 2026-06-17
CVE-2026-12322 Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. 5.4 0.17% 2026-06-16 2026-06-17
CVE-2026-6654 Double-Free / Use-After-Free (UAF) in the `IntoIter::drop` and `ThinVec::clear` functions in the thin_vec crate. A panic in `ptr::drop_in_place` skips setting the length to zero. 5.1 0.17% 2026-04-20 2026-07-14
«« First « Prev Page 2 / 129 Next »
cvelogic Threat Intelligence