Back to search

Mozilla

Firefox

Mozilla web browser focused on open standards and privacy.

Stable Current train 140 (ESR) Switch to this train 115 (ESR) Switch to this train
Current version
Last checked: yesterday

149.0.2

Release date
April 07, 2026
CVE status
25 visible CVEs

Source

endoflife.date

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
149.0.2 2026-04-07 Release Notes
149.0 2026-03-24 Release Notes
148.0.2 2026-03-10 Release Notes

Vulnerability tracking

Review curated CVEs for this product and see whether the current version is marked affected. Only CVEs with a CVSS score of 7.0 or higher and published in the last 90 days are shown.

CVE Severity Published Status Summary
CVE-2026-5735 CRITICAL (9.8) 2026-04-07 Current versionnot affected

Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

Affected versions
  • Up to (excluding) 149.0.2
CVE-2026-5734 CRITICAL (9.8) 2026-04-07 Current versionnot affected

Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Affected versions
  • Up to (excluding) 140.9.1
  • Up to (excluding) 149.0.2
CVE-2026-5733 HIGH (8.8) 2026-04-07 Current versionnot affected

Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

Affected versions
  • Up to (excluding) 149.0.2
CVE-2026-5732 HIGH (8.8) 2026-04-07 Current versionnot affected

Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Affected versions
  • Up to (excluding) 140.9.1
  • Up to (excluding) 149.0.2
CVE-2026-5731 CRITICAL (9.8) 2026-04-07 Current versionnot affected

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Affected versions
  • 115.34.0
  • 140.9.0
Show 1 more
  • 149.0.1
CVE-2026-4729 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4727 HIGH (7.5) 2026-03-24 Current versionnot affected

Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4726 HIGH (7.5) 2026-03-24 Current versionnot affected

Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4725 CRITICAL (10.0) 2026-03-24 Current versionnot affected

Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4724 CRITICAL (9.1) 2026-03-24 Current versionnot affected

Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4723 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4722 HIGH (8.8) 2026-03-24 Current versionnot affected

Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Affected versions
  • Up to (excluding) 149.0
CVE-2026-4721 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 115.34.0
  • Up to (excluding) 149.0
Show 1 more
  • From (including) 128.0 - Up to (excluding) 140.9.0
CVE-2026-4720 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4719 HIGH (7.5) 2026-03-24 Current versionnot affected

Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4718 HIGH (8.1) 2026-03-24 Current versionnot affected

Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4717 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4716 CRITICAL (9.1) 2026-03-24 Current versionnot affected

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4715 CRITICAL (9.1) 2026-03-24 Current versionnot affected

Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4714 HIGH (7.5) 2026-03-24 Current versionnot affected

Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4713 HIGH (7.5) 2026-03-24 Current versionnot affected

Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4712 HIGH (7.5) 2026-03-24 Current versionnot affected

Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4711 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4710 CRITICAL (9.8) 2026-03-24 Current versionnot affected

Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 140.9.0
  • Up to (excluding) 149.0
CVE-2026-4709 HIGH (7.5) 2026-03-24 Current versionnot affected

Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Affected versions
  • Up to (excluding) 115.34.0
  • Up to (excluding) 149.0
Show 1 more
  • From (including) 128.0 - Up to (excluding) 140.9.0