Analysis Summary

CVE-2025-5986 CVSS:8.1

Mozilla Thunderbird could allow a remote attacker to obtain sensitive information, caused by an error while using mailbox:/// links. By persuading a victim to download a specially crafted .pdf file, an attacker could exploit this vulnerability to download files, exhaust disk space or to leak hashed Windows credentials.

CVE-2025-49709 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory corruption in canvas surfaces. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-49710 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in OrderedHashTable used by the JavaScript engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-5267 CVSS:6.7

Mozilla Firefox could allow a remote attacker to conduct clickjacking attack. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to trick a user into leaking saved payment card details to a malicious page.

CVE-2025-5268 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-5269 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-5270 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by SNI being sent unencrypted even when encrypted DNS was enabled. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.

CVE-2025-5271 CVSS:4.3

Mozilla Firefox is vulnerable to a content injection attack when previewing a response in Devtools ignored CSP headers.

Impact

• Information Disclosure
• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-5986
• CVE-2025-49709
• CVE-2025-49710
• CVE-2025-5267
• CVE-2025-5268
• CVE-2025-5269
• CVE-2025-5270
• CVE-2025-5271

Affected Vendors

Affected Products

• Mozilla Firefox Esr - 128.10
• Mozilla Firefox - 138.0.3
• Mozilla Thunderbird - 128.11.1
• Mozilla Thunderbird - 139.0.2
• Mozilla Firefox - 139.0.3
• Mozilla Thunderbird - 138.0
• Mozilla Thunderbird - 128.10

Remediation

Refer to Mozilla Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-5986

CVE-2025-49709

CVE-2025-49710

CVE-2025-5267

CVE-2025-5268

CVE-2025-5269

CVE-2025-5270

CVE-2025-5271