Mozilla has issued an urgent update for Firefox, patching two critical memory corruption flaws (CVSS 9.8) that could allow remote code execution. Update now!
Librewolf is in the process of updating; perhaps some distributions of it have released new binaries already but the flathub release is still 139.0.1. In git you can see they bumped the version to get 139.0.4 (the version with the fix) here, 18 hours ago; presumably flathub will get that in the near future.
Are forks like Librewolf also affected? And have they been updated?
Yes
Librewolf is in the process of updating; perhaps some distributions of it have released new binaries already but the flathub release is still 139.0.1. In git you can see they bumped the version to get 139.0.4 (the version with the fix) here, 18 hours ago; presumably flathub will get that in the near future.