Mozilla Thunderbird vulnerabilities
1,719 known vulnerabilities affecting mozilla/thunderbird.
Total CVEs
1,719
CISA KEV
14
actively exploited
Public exploits
55
Exploited in wild
18
Severity breakdown
CRITICAL611HIGH500MEDIUM581LOW27
Vulnerabilities
Page 2 of 86
CVE-2026-4691CRITICALCVSS 9.8≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4691 [CRITICAL] CWE-416 CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 14
Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4700CRITICALCVSS 9.8≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4700 [CRITICAL] CWE-288 CVE-2026-4700: Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149, Firef
Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4696CRITICALCVSS 9.8≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4696 [CRITICAL] CWE-416 CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Fi
Use-after-free in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4698CRITICALCVSS 9.8≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4698 [CRITICAL] CWE-843 CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4717CRITICALCVSS 9.8≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4717 [CRITICAL] CVE-2026-4717: Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149, Firefox
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4716CRITICALCVSS 9.1≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4716 [CRITICAL] CWE-908 CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnera
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4708HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4708 [HIGH] CWE-754 CVE-2026-4708: Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, F
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4719HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4719 [HIGH] CWE-754 CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox <
Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4699HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4699 [HIGH] CWE-754 CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability affects Fi
Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4713HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4713 [HIGH] CWE-754 CVE-2026-4713: Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, F
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4714HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4714 [HIGH] CWE-754 CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149
Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4684HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4684 [HIGH] CWE-362 CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Fire
Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4707HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4707 [HIGH] CWE-754 CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefo
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4718HIGHCVSS 8.1fixed in 140.9.0fixed in 149.0+2 more2026-03-24
CVE-2026-4718 [HIGH] CWE-758 CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Fir
Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4727HIGHCVSS 7.5fixed in 149.0≥ unspecified, < 1492026-03-24
CVE-2026-4727 [HIGH] CWE-400 CVE-2026-4727: Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Th
Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Thunderbird < 149.
cvelistv5nvd
CVE-2026-4690HIGHCVSS 8.6≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4690 [HIGH] CWE-190 CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This v
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4685HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4685 [HIGH] CWE-754 CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefo
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4704HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4704 [HIGH] CWE-400 CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Fire
Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd
CVE-2026-4371HIGHCVSS 7.4fixed in 140.9.0fixed in 149.0+2 more2026-03-24
CVE-2026-4371 [HIGH] CWE-126 CVE-2026-4371: A malicious mail server could send malformed strings with negative lengths, causing the parser to re
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability affects Thunderbird < 149 and
cvelistv5nvd
CVE-2026-4693HIGHCVSS 7.5≥ unspecified, < 149≥ unspecified, < 140.92026-03-24
CVE-2026-4693 [HIGH] CWE-754 CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability affects Fir
Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
cvelistv5nvd