CVE-2026-4725 — Vulnetix

CVE-2026-4725 PUBLISHED CVSS 10 CRITICAL

Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149.

EPSS 0.02% · 3.5th percentile

Risk Scores

CVSS 3.1

10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.02%

3.5th percentile

Affected Products

Vendor	Product	Versions
Mozilla	Firefox ESR	unspecified, unspecified
Mozilla	Firefox	unspecified, 149
Mozilla	Thunderbird	unspecified, *, 149
mozilla	firefox	0

Exploit Intelligence

CIRCL seen: CVE-2026-4725 (circl-sighting)
CIRCL seen: CVE-2026-4725 (circl-sighting)
CIRCL seen: CVE-2026-4725 (circl-sighting)
CIRCL seen: CVE-2026-4725 (circl-sighting)
https://bugzilla.mozilla.org/show_bug.cgi?id=2017108 (circl)
https://www.mozilla.org/security/advisories/mfsa2026-24/ (circl)
https://bugzilla.mozilla.org/show_bug.cgi?id=2011129 (circl)
https://www.mozilla.org/security/advisories/mfsa2026-23/ (circl)
https://www.mozilla.org/security/advisories/mfsa2026-22/ (circl)
https://www.mozilla.org/security/advisories/mfsa2026-21/ (circl)

…and 17 more exploits

Timeline

Mar 24, 2026 CVE Published
Mar 24, 2026 PoC Published
Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 25, 2026 PoC Published
Mar 25, 2026 PoC Published
Mar 25, 2026 PoC Published
Mar 25, 2026 PoC Published
Mar 25, 2026 PoC Published
Mar 26, 2026 EPSS Score
Mar 27, 2026 Coalition ESS Score
Mar 29, 2026 PoC Published

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›