Mozilla Firefox < 149.0

🗓️ 24 Mar 2026 00:00:00Reported by TenableType

Firefox older than 149.0 on macOS is affected by multiple CVEs per MFSA2026-20.

Reporter	Title	Published	Views	Family All 2509
IBM Security Bulletins	Security Bulletin: AIX/VIOS is affected by multiple vulnerabilities due to Python	19 Nov 202515:04	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in expat affects IBM Netezza Appliance	15 Dec 202512:35	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in expat library (CVE-2025-59375) affects Power HMC.	31 Mar 202615:27	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty and Expat that are shipped with IBM CICS TX Standard.	24 Mar 202613:54	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of libexpat , IBM Sterling Connect:Direct Web Services is affected by large memory allocations issue.	17 Dec 202506:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues	27 Feb 202615:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Financial Transaction Manager is impacted by multiple vulnerabilities in RedHat Proxy for Kubernetes RBAC authorization	9 Feb 202614:45	–	ibm
IBM Security Bulletins	Security Bulletin: Oracle Outside In Technology (OIT) v8.5.7 BP9, v8.5.8 BP2 vulnerabilities CVE-2025-54874 (vulnerable), CVE-2025-59375 (vulnerable) in FileNet Content Manager (FNCM) Content Based Retrieval (CBR) content indexing	3 Jun 202613:57	–	ibm
IBM Security Bulletins	Security Bulletin: EDB PGAI Hybrid Management with IBM is affected by Multiple Vulnerabilities.	7 Apr 202613:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image	10 Mar 202607:52	–	ibm

Source	Link
mozilla	www.mozilla.org/en-US/security/advisories/mfsa2026-20/
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
## 
# (C) Tenable, Inc.
#                                  
# The descriptive text and package checks in this plugin were
# extracted from Mozilla Foundation Security Advisory mfsa2026-20.
# The text itself is copyright (C) Mozilla Foundation.
##

include('compat.inc');

if (description)
{
  script_id(303471);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id(
    "CVE-2025-59375",
    "CVE-2026-4684",
    "CVE-2026-4685",
    "CVE-2026-4686",
    "CVE-2026-4687",
    "CVE-2026-4688",
    "CVE-2026-4689",
    "CVE-2026-4690",
    "CVE-2026-4691",
    "CVE-2026-4692",
    "CVE-2026-4693",
    "CVE-2026-4694",
    "CVE-2026-4695",
    "CVE-2026-4696",
    "CVE-2026-4697",
    "CVE-2026-4698",
    "CVE-2026-4699",
    "CVE-2026-4700",
    "CVE-2026-4701",
    "CVE-2026-4702",
    "CVE-2026-4704",
    "CVE-2026-4705",
    "CVE-2026-4706",
    "CVE-2026-4707",
    "CVE-2026-4708",
    "CVE-2026-4709",
    "CVE-2026-4710",
    "CVE-2026-4711",
    "CVE-2026-4712",
    "CVE-2026-4713",
    "CVE-2026-4714",
    "CVE-2026-4715",
    "CVE-2026-4716",
    "CVE-2026-4717",
    "CVE-2026-4718",
    "CVE-2026-4719",
    "CVE-2026-4720",
    "CVE-2026-4721",
    "CVE-2026-4722",
    "CVE-2026-4723",
    "CVE-2026-4724",
    "CVE-2026-4725",
    "CVE-2026-4726",
    "CVE-2026-4727",
    "CVE-2026-4728",
    "CVE-2026-4729"
  );
  script_xref(name:"IAVA", value:"2026-A-0274-S");

  script_name(english:"Mozilla Firefox < 149.0");

  script_set_attribute(attribute:"synopsis", value:
"A web browser installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Firefox installed on the remote macOS or Mac OS X host is prior to 149.0. It is, therefore, affected by
multiple vulnerabilities as referenced in the mfsa2026-20 advisory.

  - Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects
    Firefox < 149 and Thunderbird < 149. (CVE-2026-4725)

  - Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Firefox <
    149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
    (CVE-2026-4684)

  - Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox <
    149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
    (CVE-2026-4685, CVE-2026-4686, CVE-2026-4706, CVE-2026-4707)

  - Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects
    Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
    (CVE-2026-4687)

  - Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects
    Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. (CVE-2026-4688)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 149.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-4725");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("installed_sw/Mozilla Firefox");

  exit(0);
}

include('vdf.inc');

# @tvdl-content-verify-only
var vuln_data = {
  "metadata": {
    "spec_version": "1.0"
  },
  "requires": [
    {
      "scope": "target",
      "match": {
        "os": "macos"
      }
    }
  ],
  "checks": [
    {
      "product": {
        "name": "Mozilla Firefox",
        "type": "app"
      },
      "check_algorithm": "default",
      "constraints": [
        {
          "fixed_version": "149.0"
        }
      ]
    }
  ]
};

var vdf_result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE);
vdf::handle_check_and_report_errors(vdf_result:vdf_result);

30 Apr 2026 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.110

EPSS0.00102

SSVC