VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2020-35111MedJan 7, 2021
    risk 0.28cvss 4.3epss 0.01

    When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. This…

  • CVE-2020-26953MedDec 9, 2020
    risk 0.28cvss 4.3epss 0.01

    It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

  • CVE-2020-12397MedMay 22, 2020
    risk 0.28cvss 4.3epss 0.01

    By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0.

  • CVE-2020-6797MedMar 2, 2020
    risk 0.28cvss 4.3epss 0.01

    By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application,…

  • CVE-2020-6792MedMar 2, 2020
    risk 0.28cvss 4.3epss 0.01

    When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5.

  • CVE-2018-12374MedOct 18, 2018
    risk 0.28cvss 4.3epss 0.02

    Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field. This vulnerability affects Thunderbird < 52.9.

  • CVE-2018-12367MedOct 18, 2018
    risk 0.28cvss 4.3epss 0.02

    In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer.…

  • CVE-2018-5170MedJun 11, 2018
    risk 0.28cvss 4.3epss 0.02

    It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

  • CVE-2018-5161MedJun 11, 2018
    risk 0.28cvss 4.3epss 0.02

    Crafted message headers can cause a Thunderbird process to hang on receiving the message. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

  • CVE-2017-7847MedJun 11, 2018
    risk 0.28cvss 4.3epss 0.02

    Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird < 52.5.2.

  • CVE-2017-5451MedJun 11, 2018
    risk 0.28cvss 4.3epss 0.02

    A mechanism to spoof the addressbar through the user interaction on the addressbar and the "onblur" event. The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This…

  • CVE-2016-5250MedAug 5, 2016
    risk 0.28cvss 4.3epss 0.02

    Mozilla Firefox before 48.0, Firefox ESR < 45.4 and Thunderbird < 45.4 allow remote attackers to obtain sensitive information about the previously retrieved page via Resource Timing API calls.

  • CVE-2016-1957MedMar 13, 2016
    risk 0.28cvss 4.3epss 0.02

    Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array.

  • CVE-2026-2802MedFeb 24, 2026
    risk 0.27cvss 4.2epss 0.00

    Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

  • CVE-2025-0240MedJan 7, 2025
    risk 0.26cvss 4.0epss 0.01

    Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

  • CVE-2025-0239MedJan 7, 2025
    risk 0.26cvss 4.0epss 0.00

    When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

  • CVE-2019-11743LowSep 27, 2019
    risk 0.24cvss 3.7epss 0.02

    Navigation events were not fully adhering to the W3C's "Navigation-Timing Level 2" draft specification in some instances for the unload event, which restricts access to detailed timing attributes to only be same-origin. This resulted in potential cross-origin information…

  • CVE-2025-6425MedJun 24, 2025
    risk 0.21cvss 4.3epss 0.00

    An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR…

  • CVE-2024-9680KEVOct 9, 2024
    risk 0.20cvss epss 0.33

    An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR <…

  • CVE-2023-34414LowJun 19, 2023
    risk 0.20cvss 3.1epss 0.01

    The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before…

Page 54 of 94