QwikSec

Security Database

CVE

CWE

Training

CVE-2025-6430

Published: Jun 24, 2025

Modified: Apr 13, 2026

PUBLISHED

Description

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Vendor	Product	Versions
Mozilla	Firefox	unaffected `128.12 - <= 128.` unaffected `140 - <= `
Mozilla	Thunderbird	unaffected `128.12 - <= 128.` unaffected `140 - <= `

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1971140

https://www.mozilla.org/security/advisories/mfsa2025-51/

https://www.mozilla.org/security/advisories/mfsa2025-53/

https://www.mozilla.org/security/advisories/mfsa2025-54/

https://www.mozilla.org/security/advisories/mfsa2025-55/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-6430 - Security Vulnerability | QwikSec