Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.

https://www.mozilla.org/security/advisories/mfsa2025-45/

https://www.mozilla.org/security/advisories/mfsa2025-46/

OR
          *cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* versions up to (excluding) 139.0
          *cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* versions up to (excluding) 115.24.0
          *cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* versions from (including) 116.0 up to (excluding) 128.11.0

Mozilla Corporation: https://bugzilla.mozilla.org/show_bug.cgi?id=1962301 Types: Permissions Required

Mozilla Corporation: https://www.mozilla.org/security/advisories/mfsa2025-42/ Types: Vendor Advisory

Mozilla Corporation: https://www.mozilla.org/security/advisories/mfsa2025-43/ Types: Vendor Advisory

Mozilla Corporation: https://www.mozilla.org/security/advisories/mfsa2025-44/ Types: Vendor Advisory

AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE-77

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.

https://bugzilla.mozilla.org/show_bug.cgi?id=1962301

https://www.mozilla.org/security/advisories/mfsa2025-42/

https://www.mozilla.org/security/advisories/mfsa2025-43/

https://www.mozilla.org/security/advisories/mfsa2025-44/