QwikSec

Security Database

CVE

CWE

Training

CVE-2025-11712

Published: Oct 14, 2025

Modified: Apr 13, 2026

PUBLISHED

Description

A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Vendor	Product	Versions
Mozilla	Firefox	unaffected `140.4 - <= 140.` unaffected `144 - <= `
Mozilla	Thunderbird	unaffected `140.4 - <= 140.` unaffected `144 - <= `

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1979536

https://www.mozilla.org/security/advisories/mfsa2025-81/

https://www.mozilla.org/security/advisories/mfsa2025-83/

https://www.mozilla.org/security/advisories/mfsa2025-84/

https://www.mozilla.org/security/advisories/mfsa2025-85/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.