VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2025-5265MedMay 27, 2025
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of…

  • CVE-2025-5264MedMay 27, 2025
    risk 0.31cvss 4.8epss 0.00

    Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24,…

  • CVE-2025-4087MedApr 29, 2025
    risk 0.31cvss 4.8epss 0.00

    A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability was fixed in Firefox 138,…

  • CVE-2020-12399MedJul 9, 2020
    risk 0.29cvss 4.4epss 0.01

    NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

  • CVE-2026-12320MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12303MedJun 16, 2026
    risk 0.28cvss 4.3epss 0.00

    Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-0818MedJan 28, 2026
    risk 0.28cvss 4.3epss 0.00

    When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer…

  • CVE-2026-0887MedJan 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

  • CVE-2025-6434MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140…

  • CVE-2025-5266MedMay 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-5263MedMay 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-1935MedMar 4, 2025
    risk 0.28cvss 4.3epss 0.00

    A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

  • CVE-2025-1019MedFeb 4, 2025
    risk 0.28cvss 4.3epss 0.00

    The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

  • CVE-2024-0749MedJan 23, 2024
    risk 0.28cvss 4.3epss 0.00

    A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7.

  • CVE-2024-0742MedJan 23, 2024
    risk 0.28cvss 4.3epss 0.01

    It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.

  • CVE-2023-50762MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.01

    When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally…

  • CVE-2023-50761MedDec 19, 2023
    risk 0.28cvss 4.3epss 0.01

    The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time…

  • CVE-2023-5726MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. *Note: This issue only affected macOS operating systems. Other operating systems are unaffected.* This vulnerability…

  • CVE-2023-5725MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

  • CVE-2023-5721MedOct 25, 2023
    risk 0.28cvss 4.3epss 0.01

    It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.

Page 52 of 94