CVE-2026-4688
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk41th percentile - higher than 41% of all known CVEs
Summary
A sandbox escape vulnerability due to a use-after-free in the Disability Access APIs component. The flaw was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Risk Assessment
An attacker could exploit this vulnerability to break out of the browser sandbox, potentially leading to arbitrary code execution in the operating system context and full device compromise.
Recommendation
Immediately update Firefox to version 149 or later, and Firefox ESR to version 140.9 or later. For Thunderbird, update to version 149 or 140.9.
Original NVD description (English source)
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

