Mozilla Thunderbird vulnerabilities

CVE-2026-7320 [HIGH] CWE-119 CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulne Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.

CVE-2026-7324 [HIGH] CWE-119 CVE-2026-7324: Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corr Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.

CVE-2026-7322 [HIGH] CWE-119 CVE-2026-7322: Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs s Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and

CVE-2026-6786 [HIGH] CWE-125 CVE-2026-6786: Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunder

CVE-2026-6785 [HIGH] CWE-125 CVE-2026-6785: Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox

CVE-2026-41907 [HIGH] CWE-787 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality A flaw was found in uuid. The library's versions v3, v5, and v6 do not adequately check the size of external memory buffers provided by applications. This oversight allows the library to write data beyond the designated buffer limits without signaling an error. Such out-of-bounds writes can

CVE-2026-41305 [MEDIUM] CWE-79 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `` tags, it fails to properly escape `` sequences. This oversight

CVE-2026-41989 [MEDIUM] CWE-131 Libgcrypt: Libgcrypt: Denial of Service and buffer overflow via crafted ECDH ciphertext Libgcrypt: Libgcrypt: Denial of Service and buffer overflow via crafted ECDH ciphertext A flaw was found in Libgcrypt. A remote attacker could exploit this vulnerability by sending crafted Elliptic Curve Diffie-Hellman (ECDH) ciphertext to the `gcry_pk_decrypt` function. This can lead to a heap-based buffer overflow, potentially causing a denial of service (DoS) condition. Mi

CVE-2026-41990 [MEDIUM] CWE-787 Libgcrypt: Libgcrypt: Denial of Service or data integrity issues from missing bounds check during Dilithium signing. Libgcrypt: Libgcrypt: Denial of Service or data integrity issues from missing bounds check during Dilithium signing. A flaw was found in Libgcrypt. During Dilithium signing operations, the library fails to perform a bounds check when writing to a static array. While the data involved is not directly controlled by an attacker, this vulnerability cou

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-6771 [CRITICAL] CWE-288 CVE-2026-6771: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firef Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6748 [CRITICAL] CWE-457 CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firef Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6760 [CRITICAL] CWE-288 CVE-2026-6760: Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6768 [CRITICAL] CWE-288 CVE-2026-6768: Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6752 [HIGH] CWE-119 CVE-2026-6752: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6782 [HIGH] CWE-200 CVE-2026-6782: Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 a Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6766 [HIGH] CWE-754 CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Fir Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6761 [HIGH] CWE-269 CVE-2026-6761: Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firef Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6753 [HIGH] CWE-119 CVE-2026-6753: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6784 [HIGH] CWE-125 CVE-2026-6784: Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.