LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CVE DATABASE  /  CVE-2015-4495

CVE-2015-4495

Mozilla Firefox Security Feature Bypass Vulnerability

CVSS 8.8 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog

Confirmed exploited in the wild. Added 2022-05-25. Federal remediation due 2022-06-15.
Required action: Apply updates per vendor instructions.

Summary

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

CVSS 3.1 breakdown

Base score8.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack vectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionREQUIRED
ScopeUNCHANGED
ConfidentialityHIGH
IntegrityHIGH
AvailabilityHIGH

Weakness type (CWE)

Affected products

Mozilla firefoxMozilla firefox osOracle solarisCanonical ubuntu linuxRedhat enterprise linux desktopRedhat enterprise linux eusRedhat enterprise linux serverRedhat enterprise linux server ausRedhat enterprise linux server tusRedhat enterprise linux workstationSuse linux enterprise debuginfoOpensuse opensuseSuse linux enterprise desktopSuse linux enterprise serverSuse linux enterprise software development kit
Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2026-04-22. Always verify against the vendor advisory before acting.

Scroll to Top