VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2025-4085HigApr 29, 2025
    risk 0.46cvss 7.1epss 0.00

    An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

  • CVE-2025-26696HigMar 10, 2025
    risk 0.46cvss 7.0epss 0.00

    Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.

  • CVE-2014-1523MedApr 30, 2014
    risk 0.43cvss 6.5epss 0.03

    Heap-based buffer overflow in the read_u32 function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG…

  • CVE-2026-12325MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12319MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12309MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12302MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-8971MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

  • CVE-2026-8961MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

  • CVE-2026-6770MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.05

    Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2026-6764MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2026-6763MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2026-6755MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

  • CVE-2026-3889MedMar 24, 2026
    risk 0.42cvss 6.5epss 0.00

    Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.

  • CVE-2026-4728MedMar 24, 2026
    risk 0.42cvss 6.5epss 0.00

    Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

  • CVE-2026-0885MedJan 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-14331MedDec 9, 2025
    risk 0.42cvss 6.5epss 0.00

    Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

  • CVE-2025-11716MedOct 14, 2025
    risk 0.42cvss 6.5epss 0.00

    Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

  • CVE-2025-11711MedOct 14, 2025
    risk 0.42cvss 6.5epss 0.00

    There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

  • CVE-2025-10532MedSep 16, 2025
    risk 0.42cvss 6.5epss 0.00

    Incorrect boundary conditions in the JavaScript: GC component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

Page 24 of 94