VulnerableCode Package Details - pkg:deb/debian/firefox-esr@128.12.0esr-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-j6w1-yhc3-uqfw	An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles.	CVE-2025-6425
VCID-mrb2-hz9y-4ufp	When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.	CVE-2025-6430
VCID-r29z-4m4j-8kft	A use-after-free in FontFaceSet resulted in a potentially exploitable crash.	CVE-2025-6424
VCID-s89g-7f5f-5qd2	Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.	CVE-2025-6429

Vulnerability

Summary

Aliases

VCID-j6w1-yhc3-uqfw

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles.

CVE-2025-6425

VCID-mrb2-hz9y-4ufp

When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.

CVE-2025-6430

VCID-r29z-4m4j-8kft

A use-after-free in FontFaceSet resulted in a potentially exploitable crash.

CVE-2025-6424

VCID-s89g-7f5f-5qd2

Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.

CVE-2025-6429

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:13:37.173118+00:00	Debian Importer	Fixing	VCID-s89g-7f5f-5qd2	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:58:37.376522+00:00	Debian Importer	Fixing	VCID-j6w1-yhc3-uqfw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:34:01.957426+00:00	Debian Importer	Fixing	VCID-mrb2-hz9y-4ufp	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:37:24.152094+00:00	Debian Importer	Fixing	VCID-r29z-4m4j-8kft	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:45:15.964159+00:00	Debian Importer	Fixing	VCID-mrb2-hz9y-4ufp	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:38:02.799477+00:00	Debian Importer	Fixing	VCID-s89g-7f5f-5qd2	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:41:02.617223+00:00	Debian Importer	Fixing	VCID-j6w1-yhc3-uqfw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:48:00.334278+00:00	Debian Importer	Fixing	VCID-r29z-4m4j-8kft	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:23:48.313634+00:00	Debian Importer	Fixing	VCID-mrb2-hz9y-4ufp	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:23:48.255816+00:00	Debian Importer	Fixing	VCID-s89g-7f5f-5qd2	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:23:48.153350+00:00	Debian Importer	Fixing	VCID-j6w1-yhc3-uqfw	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:23:48.094561+00:00	Debian Importer	Fixing	VCID-r29z-4m4j-8kft	https://security-tracker.debian.org/tracker/data/json	38.1.0