VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2020-15646MedOct 8, 2020
    risk 0.38cvss 5.9epss 0.01

    If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the…

  • CVE-2019-9793MedApr 26, 2019
    risk 0.38cvss 5.9epss 0.02

    A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will…

  • CVE-2025-4084MedApr 29, 2025
    risk 0.37cvss 5.7epss 0.00

    Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox…

  • CVE-2023-4054MedAug 1, 2023
    risk 0.36cvss 5.5epss 0.00

    When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 116, Firefox ESR < 102.14, Firefox ESR < 115.1,…

  • CVE-2023-29532MedJun 19, 2023
    risk 0.36cvss 5.5epss 0.00

    A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by…

  • CVE-2022-3266MedDec 22, 2022
    risk 0.36cvss 5.5epss 0.00

    An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

  • CVE-2022-36314MedDec 22, 2022
    risk 0.36cvss 5.5epss 0.00

    When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability…

  • CVE-2020-12392MedMay 26, 2020
    risk 0.36cvss 5.5epss 0.00

    The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of…

  • CVE-2018-12383MedOct 18, 2018
    risk 0.36cvss 5.5epss 0.00

    If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new…

  • CVE-2017-5414MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or the local account name. This vulnerability affects Firefox < 52 and Thunderbird…

  • CVE-2016-5294MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird <…

  • CVE-2016-5291MedJun 11, 2018
    risk 0.36cvss 5.5epss 0.00

    A same-origin policy bypass with local shortcut files to load arbitrary local content from disk. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

  • CVE-2014-1496MedMar 19, 2014
    risk 0.36cvss 5.5epss 0.00

    Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 might allow local users to gain privileges by modifying the extracted Mar contents during an update.

  • CVE-2026-12330MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12.

  • CVE-2026-12323MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12322MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12321MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12299MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12298MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-6774MedApr 21, 2026
    risk 0.35cvss 5.4epss 0.00

    Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Page 48 of 94