VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2026-2801HigFeb 24, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

  • CVE-2026-2783HigFeb 24, 2026
    risk 0.49cvss 7.5epss 0.00

    Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

  • CVE-2026-0889HigJan 13, 2026
    risk 0.49cvss 7.5epss 0.01

    Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

  • CVE-2025-14327HigDec 9, 2025
    risk 0.49cvss 7.5epss 0.00

    Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.

  • CVE-2025-13025HigNov 11, 2025
    risk 0.49cvss 7.5epss 0.00

    Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

  • CVE-2025-13016HigNov 11, 2025
    risk 0.49cvss 7.5epss 0.00

    Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.

  • CVE-2025-13012HigNov 11, 2025
    risk 0.49cvss 7.5epss 0.00

    Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.

  • CVE-2025-9182HigAug 19, 2025
    risk 0.49cvss 7.5epss 0.00

    Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2.

  • CVE-2025-5270HigMay 27, 2025
    risk 0.49cvss 7.5epss 0.00

    In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.

  • CVE-2025-3875HigMay 14, 2025
    risk 0.49cvss 7.5epss 0.00

    Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This…

  • CVE-2025-1937HigMar 4, 2025
    risk 0.49cvss 7.5epss 0.01

    Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.…

  • CVE-2025-1933HigMar 4, 2025
    risk 0.49cvss 7.6epss 0.00

    On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. This can potentially cause them to be treated as a different type. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and…

  • CVE-2025-1931HigMar 4, 2025
    risk 0.49cvss 7.5epss 0.01

    It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

  • CVE-2025-1012HigFeb 4, 2025
    risk 0.49cvss 7.5epss 0.00

    A race during concurrent delazification could have led to a use-after-free. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

  • CVE-2024-0743HigJan 23, 2024
    risk 0.49cvss 7.5epss 0.01

    An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9.

  • CVE-2023-5728HigOct 25, 2023
    risk 0.49cvss 7.5epss 0.01

    During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

  • CVE-2023-5724HigOct 25, 2023
    risk 0.49cvss 7.5epss 0.02

    Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

  • CVE-2023-4583HigSep 11, 2023
    risk 0.49cvss 7.5epss 0.01

    When checking if the Browsing Context had been discarded in `HttpBaseChannel`, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended. This vulnerability…

  • CVE-2023-4051HigAug 1, 2023
    risk 0.49cvss 7.5epss 0.01

    A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 116, Firefox ESR < 115.2, and Thunderbird < 115.2.

  • CVE-2023-3417HigJul 24, 2023
    risk 0.49cvss 7.5epss 0.01

    Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file…

Page 33 of 94