Mozilla threat watch

Mozilla product CVE coverage — Firefox, Thunderbird, browser engine, and certificate-handling vulnerabilities.

Vendor watch hub

What this page covers

The Mozillawatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

Confirm whether recent Mozilla activity overlaps with your environment.
Prioritize advisories by MSP-relevance score, severity, and status.
Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

143

Active

Featured

Unique CVEs

Most recent entry

Apr 7, 2026, 8:16 AM

Feed refreshes daily · 5:15 a.m. Central

Sources·CISA KEV and NVD (product vendor coverage)

"Most recent entry" is the newest item the upstream feed has published — not our sync time.

Watch items

Recent Mozilla watch items

Showing the 20 most recent items, newest first. Each row links to the official advisory.

20 rows · sorted newest first

Operations view

firefox vulnerability (CVE-2026-5735)

CRITICAL

watchNVDCVE-2026-5735

Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

Apr 7, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-5734)

CRITICAL

watchNVDCVE-2026-5734

Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Apr 7, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4727)

HIGH

watchNVDCVE-2026-4727

Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4726)

HIGH

watchNVDCVE-2026-4726

Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4725)

CRITICAL

watchNVDCVE-2026-4725

Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4724)

CRITICAL

watchNVDCVE-2026-4724

Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4723)

CRITICAL

watchNVDCVE-2026-4723

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4719)

HIGH

watchNVDCVE-2026-4719

Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4718)

HIGH

watchNVDCVE-2026-4718

Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4717)

CRITICAL

watchNVDCVE-2026-4717

Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4716)

CRITICAL

watchNVDCVE-2026-4716

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4715)

CRITICAL

watchNVDCVE-2026-4715

Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4714)

HIGH

watchNVDCVE-2026-4714

Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4713)

HIGH

watchNVDCVE-2026-4713

Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4712)

HIGH

watchNVDCVE-2026-4712

Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4711)

CRITICAL

watchNVDCVE-2026-4711

Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4710)

CRITICAL

watchNVDCVE-2026-4710

Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4709)

HIGH

watchNVDCVE-2026-4709

Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4708)

HIGH

watchNVDCVE-2026-4708

Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

firefox vulnerability (CVE-2026-4707)

HIGH

watchNVDCVE-2026-4707

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mar 24, 2026, 8:16 AMOfficial source

Alert	Exposure	Status	Published	Source
firefox vulnerability (CVE-2026-5735) Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2. firefox	CRITICALCVE-2026-5735 Watch	watch	Apr 7, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-5734) Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. firefox	CRITICALCVE-2026-5734 Watch	watch	Apr 7, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4727) Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox	HIGHCVE-2026-4727 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4726) Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox	HIGHCVE-2026-4726 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4725) Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox	CRITICALCVE-2026-4725 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4724) Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox	CRITICALCVE-2026-4724 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4723) Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox	CRITICALCVE-2026-4723 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4719) Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4719 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4718) Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4718 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4717) Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	CRITICALCVE-2026-4717 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4716) Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	CRITICALCVE-2026-4716 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4715) Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	CRITICALCVE-2026-4715 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4714) Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4714 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4713) Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4713 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4712) Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4712 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4711) Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	CRITICALCVE-2026-4711 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4710) Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	CRITICALCVE-2026-4710 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4709) Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4709 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4708) Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4708 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source
firefox vulnerability (CVE-2026-4707) Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox	HIGHCVE-2026-4707 Watch	watch	Mar 24, 2026, 8:16 AM	NVDOpen source

Related vendors

Other productivity vendors in the radar

Google Workspace Microsoft Apple Adobe Oracle Google Atlassian Dell

ITECS response pathways

Turn the Mozilla watch feed into an action plan

These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.

Endpoint detection & response

Use the endpoint detection & response pathway when this vendor alert needs an ITECS-managed response plan.

Cybersecurity services

Connect the vendor watch page to broader managed detection, response, and governance planning.

Cybersecurity assessment

Translate current watch items into a faster risk snapshot and prioritized remediation plan.

Threat Radar hub

Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.

Vendor watch FAQ

Common questions

What is the Mozilla threat watch page?

It is the Mozilla-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the Mozilla watch page?

Use it to confirm whether current Mozilla issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to Mozilla security issues?

Yes. ITECS can help map Mozilla advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.

Back to Threat Radar hub Endpoint detection & response