The version of Firefox installed on the remote Windows host is prior to 150.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-30 advisory.

  - Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability     was fixed in Firefox 150 and Thunderbird 150. (CVE-2026-6783)

  - Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR     115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6746)

  - Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10,     Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6747)

  - Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox     150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6748, CVE-2026-6751)

  - Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability     was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
    (CVE-2026-6749)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 140.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-39 advisory.

  - Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This     vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
    (CVE-2026-7321)

  - Information disclosure due to incorrect boundary conditions in the Audio/Video component. This     vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird     150.0.1, and Thunderbird 140.10.1. (CVE-2026-7320)

  - Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in     Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
    (CVE-2026-8091)

  - Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed     evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2026-7322, CVE-2026-7323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 76763f24-4aae-11f1-88d3-b42e991fc52e advisory.

    https://bugzilla.mozilla.org/show_bug.cgi?id=2029301 reports:

              Incorrect boundary conditions in the Audio/Video: Playback               component.


Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote Windows host is prior to 140.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-36 advisory.

  - Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This     vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
    (CVE-2026-7321)

  - Information disclosure due to incorrect boundary conditions in the Audio/Video component. This     vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird     150.0.1, and Thunderbird 140.10.1. (CVE-2026-7320)

  - Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in     Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
    (CVE-2026-8091)

  - Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0 and Firefox 150.0.0. Some of     these bugs showed evidence of memory corruption and we presume that with enough effort some of these could     have been exploited to run arbitrary code. (CVE-2026-7322)

  - Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence     of memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. (CVE-2026-7323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 115.35.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-42 advisory.

  - Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of     these bugs showed evidence of memory corruption and we presume that with enough effort some of these could     have been exploited to run arbitrary code. (CVE-2026-8092)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 140.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-39 advisory.

  - Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This     vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
    (CVE-2026-7321)

  - Information disclosure due to incorrect boundary conditions in the Audio/Video component. This     vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird     150.0.1, and Thunderbird 140.10.1. (CVE-2026-7320)

  - Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in     Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
    (CVE-2026-8091)

  - Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed     evidence of memory corruption and we presume that with enough effort some of these could have been     exploited to run arbitrary code. (CVE-2026-7322, CVE-2026-7323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 150.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-33 advisory.

  - Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability     was fixed in Firefox 150 and Thunderbird 150. (CVE-2026-6783)

  - Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR     115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6746)

  - Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10,     Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6747)

  - Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox     150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6748, CVE-2026-6751)

  - Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability     was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
    (CVE-2026-6749)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-fb08ad61f2 advisory.

    Update NSS to 3.122.1     Update to Firefox 150.0


    ----

    - New upstream release (149.0.2)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 150.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-30 advisory.

  - Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability     was fixed in Firefox 150 and Thunderbird 150. (CVE-2026-6783)

  - Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR     115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6746)

  - Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10,     Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6747)

  - Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox     150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6748, CVE-2026-6751)

  - Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability     was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
    (CVE-2026-6749)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 150.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-33 advisory.

  - Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability     was fixed in Firefox 150 and Thunderbird 150. (CVE-2026-6783)

  - Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR     115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6746)

  - Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10,     Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6747)

  - Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox     150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. (CVE-2026-6748, CVE-2026-6751)

  - Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability     was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
    (CVE-2026-6749)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in     Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
    (CVE-2026-8091)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 140.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-36 advisory.

  - Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This     vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
    (CVE-2026-7321)

  - Information disclosure due to incorrect boundary conditions in the Audio/Video component. This     vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird     150.0.1, and Thunderbird 140.10.1. (CVE-2026-7320)

  - Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in     Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
    (CVE-2026-8091)

  - Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0 and Firefox 150.0.0. Some of     these bugs showed evidence of memory corruption and we presume that with enough effort some of these could     have been exploited to run arbitrary code. (CVE-2026-7322)

  - Memory safety bugs present in Firefox ESR 140.10.0 and Firefox 150.0.0. Some of these bugs showed evidence     of memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. (CVE-2026-7323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote Windows host is prior to 115.35.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-42 advisory.

  - Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of     these bugs showed evidence of memory corruption and we presume that with enough effort some of these could     have been exploited to run arbitrary code. (CVE-2026-8092)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
307899	Mozilla Firefox < 150.0	Nessus	Windows	4/21/2026	5/8/2026	medium
311286	Mozilla Thunderbird < 140.10.1	Nessus	Windows	4/30/2026	5/8/2026	critical
313461	FreeBSD : Mozilla -- Incorrect boundary conditions (76763f24-4aae-11f1-88d3-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	5/8/2026	5/8/2026	critical
310802	Mozilla Firefox ESR < 140.10.1	Nessus	Windows	4/29/2026	5/7/2026	critical
313044	Mozilla Firefox ESR < 115.35.2	Nessus	MacOS X Local Security Checks	5/7/2026	5/11/2026	critical
311287	Mozilla Thunderbird < 140.10.1	Nessus	MacOS X Local Security Checks	4/30/2026	5/8/2026	critical
309100	Mozilla Thunderbird < 150.0	Nessus	Windows	4/21/2026	5/7/2026	medium
310077	Fedora 44 : firefox / nss (2026-fb08ad61f2)	Nessus	Fedora Local Security Checks	4/24/2026	5/8/2026	medium
307895	Mozilla Firefox < 150.0	Nessus	MacOS X Local Security Checks	4/21/2026	5/8/2026	medium
309098	Mozilla Thunderbird < 150.0	Nessus	MacOS X Local Security Checks	4/21/2026	5/7/2026	medium
313177	Linux Distros Unpatched Vulnerability : CVE-2026-8091	Nessus	Misc.	5/7/2026	5/8/2026	critical
310800	Mozilla Firefox ESR < 140.10.1	Nessus	MacOS X Local Security Checks	4/29/2026	5/7/2026	critical
313045	Mozilla Firefox ESR < 115.35.2	Nessus	Windows	5/7/2026	5/11/2026	critical

Detections

Analytics

Plugins Search

medium

critical

critical

critical

critical

critical

medium

medium

medium

medium

critical

critical

critical