VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2026-2804MedFeb 24, 2026
    risk 0.35cvss 5.4epss 0.00

    Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

  • CVE-2026-0890MedJan 13, 2026
    risk 0.35cvss 5.4epss 0.00

    Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-10531MedSep 16, 2025
    risk 0.35cvss 5.4epss 0.00

    Mitigation bypass in the Web Compatibility: Tooling component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.

  • CVE-2025-5267MedMay 27, 2025
    risk 0.35cvss 5.4epss 0.00

    A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-0237MedJan 7, 2025
    risk 0.35cvss 5.4epss 0.01

    The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR…

  • CVE-2023-6857MedDec 19, 2023
    risk 0.35cvss 5.3epss 0.01

    When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary. *This bug only affects Firefox on Unix-based operating systems (Android, Linux, MacOS). Windows is unaffected.* This vulnerability affects Firefox ESR <…

  • CVE-2023-6206MedNov 21, 2023
    risk 0.35cvss 5.4epss 0.01

    The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability…

  • CVE-2023-25730MedJun 2, 2023
    risk 0.35cvss 5.4epss 0.01

    A background script invoking requestFullscreen and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and…

  • CVE-2022-28286MedDec 22, 2022
    risk 0.35cvss 5.4epss 0.01

    Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

  • CVE-2022-1197MedDec 22, 2022
    risk 0.35cvss 5.4epss 0.00

    When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that…

  • CVE-2020-12405MedJul 9, 2020
    risk 0.35cvss 5.3epss 0.01

    When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

  • CVE-2020-6812MedMar 25, 2020
    risk 0.35cvss 5.3epss 0.02

    The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate device names, disclosing the user's name. To resolve this issue, Firefox added a…

  • CVE-2019-11761MedJan 8, 2020
    risk 0.35cvss 5.4epss 0.01

    By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects…

  • CVE-2019-9817MedJul 23, 2019
    risk 0.35cvss 5.3epss 0.01

    Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.

  • CVE-2019-11717MedJul 23, 2019
    risk 0.35cvss 5.3epss 0.02

    A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

  • CVE-2019-11698MedJul 23, 2019
    risk 0.35cvss 5.3epss 0.01

    If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event…

  • CVE-2019-9801MedApr 26, 2019
    risk 0.35cvss 5.3epss 0.01

    Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happen if the program has specifically registered itself as a "URL Handler" in the…

  • CVE-2018-18509MedApr 26, 2019
    risk 0.35cvss 5.3epss 0.02

    A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an…

  • CVE-2018-5168MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. This…

  • CVE-2018-5117MedJun 11, 2018
    risk 0.35cvss 5.3epss 0.02

    If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displayed as a location, which can mislead users to believe they are…

Page 49 of 94