CVE-2024-4367

HIGHNVD 8.88.8—

8.8

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

CVSS v3: 8.8
EG Score: 8.8(medium)
EPSS: 97.3%
KEV: Not listed

Published

May 14, 2024

Last Modified

May 12, 2026

Advisory Details (9)

Auto-updated May 12, 2026

🔬 Proof of concept available. Patch available.

generic🟡 PoC Available

Stored XSS in PDF renderer · Issue #7928 · gogs/gogs · GitHub

https://github.com/gogs/gogs/issues/7928

generic🟡 PoC Available

CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/

generic

1893645 - (CVE-2024-4367) Arbitrary Javascript injection in PDF.js through FontMatrix

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

generic

Full Disclosure: OXAS-ADV-2024-0004: OX App Suite Security Advisory

http://seclists.org/fulldisclosure/2024/Aug/30

generic

Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla

https://www.mozilla.org/security/advisories/mfsa2024-23/

generic

Security Vulnerabilities fixed in Firefox ESR 115.11 — Mozilla

https://www.mozilla.org/security/advisories/mfsa2024-22/

generic

Security Vulnerabilities fixed in Firefox 126 — Mozilla

https://www.mozilla.org/security/advisories/mfsa2024-21/

generic Patch Available

[SECURITY] [DLA 3817-1] thunderbird security update

https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html

generic Patch Available

[SECURITY] [DLA 3815-1] firefox-esr security update

https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html

Vendor Advisories for CVE-2024-4367(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

patch-release-gitlab-17-0-1-released
GitLab Security
GitLab Patch Release: 17.0.1, 16.11.3, 16.10.6

Frequently asked(5)

What is CVE-2024-4367?

CVE-2024-4367 is a high vulnerability published on May 14, 2024. A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

When was CVE-2024-4367 disclosed?

CVE-2024-4367 was first published in the National Vulnerability Database on May 14, 2024, with the most recent update on May 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2024-4367 actively exploited?

CVE-2024-4367 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 97.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2024-4367?

CVE-2024-4367 has a CVSS v3 base score of 8.8 (NVD).

How do I remediate CVE-2024-4367?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2024-4367, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2024-4367

Explore →

Is Your Infrastructure Affected by CVE-2024-4367?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2024-4367

HIGHNVD 8.88.8—

Frequently asked(5)

What is CVE-2024-4367?

When was CVE-2024-4367 disclosed?

Is CVE-2024-4367 actively exploited?

What is the CVSS score of CVE-2024-4367?

CVE-2024-4367 has a CVSS v3 base score of 8.8 (NVD).

How do I remediate CVE-2024-4367?

CVE-2024-4367

📅 Published

🔄 Last Modified

📋 Advisory Details (9)

Stored XSS in PDF renderer · Issue #7928 · gogs/gogs · GitHub

CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs

1893645 - (CVE-2024-4367) Arbitrary Javascript injection in PDF.js through FontMatrix

Full Disclosure: OXAS-ADV-2024-0004: OX App Suite Security Advisory

Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla

Security Vulnerabilities fixed in Firefox ESR 115.11 — Mozilla

Security Vulnerabilities fixed in Firefox 126 — Mozilla

[SECURITY] [DLA 3817-1] thunderbird security update

[SECURITY] [DLA 3815-1] firefox-esr security update

📣 Vendor Advisories for CVE-2024-4367(1)

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2024-4367?

CVE-2024-4367

📅 Published

🔄 Last Modified

📋 Advisory Details (9)

Stored XSS in PDF renderer · Issue #7928 · gogs/gogs · GitHub

CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs

1893645 - (CVE-2024-4367) Arbitrary Javascript injection in PDF.js through FontMatrix

Full Disclosure: OXAS-ADV-2024-0004: OX App Suite Security Advisory

Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla

Security Vulnerabilities fixed in Firefox ESR 115.11 — Mozilla

Security Vulnerabilities fixed in Firefox 126 — Mozilla

[SECURITY] [DLA 3817-1] thunderbird security update

[SECURITY] [DLA 3815-1] firefox-esr security update

📣 Vendor Advisories for CVE-2024-4367(1)

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2024-4367?

🔗 Related CVEs(same product + same vendor)

Same vendor

Published

Last Modified

Advisory Details (9)

Vendor Advisories for CVE-2024-4367(1)

Frequently asked(5)

Published

Last Modified

Advisory Details (9)

Vendor Advisories for CVE-2024-4367(1)

Frequently asked(5)

Related CVEs(same product + same vendor)