Severity
Medium
Analysis Summary
CVE-2025-5263 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by error handling for script execution being incorrectly isolated from web content. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to allow cross-origin leak attacks.
CVE-2025-5264 CVSS:5.3
Mozilla Firefox could allow a local attacker to execute arbitrary code on the system, caused by insufficient escaping of the newline character in the “Copy as cURL” feature. By persuading a victim into using this command, an attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2025-5265 CVSS:7.8
Mozilla Firefox could allow a local attacker to execute arbitrary code on the system, caused by insufficient escaping of the ampersand character in the “Copy as cURL” feature. By persuading a victim into using this command, an attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2025-5266 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information. Script element events leak cross-origin resource status.
Impact
- Information Disclosure
- Denial of Service
- Code Execution
Indicators of Compromise
CVE
CVE-2025-5263
CVE-2025-5264
CVE-2025-5265
CVE-2025-5266
Affected Vendors
Affected Products
- Mozilla Firefox Esr - 128.10
- Mozilla Thunderbird - 138.0
- Mozilla Thunderbird - 128.10
- Mozilla Firefox - 138.0
- Mozilla Firefox ESR - 115.23
Remediation
Refer to the Mozilla Security Advisory for patch, upgrade, or suggested workaround information.