Mozilla Thunderbird vulnerabilities
1,918 known vulnerabilities affecting mozilla/thunderbird.
Total CVEs
1,918
CISA KEV
14
actively exploited
Public exploits
59
Exploited in wild
18
Severity breakdown
CRITICAL625HIGH610MEDIUM652LOW31
Vulnerabilities
Page 4 of 96
CVE-2026-6768CRITICALCVSS 9.8fixed in 150.02026-04-21
CVE-2026-6768 [CRITICAL] CWE-288 CVE-2026-6768: Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150
Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6752HIGHCVSS 7.3≥ 140.0, < 140.10.02026-04-21
CVE-2026-6752 [HIGH] CWE-119 CVE-2026-6752: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150,
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6782HIGHCVSS 7.5fixed in 150.02026-04-21
CVE-2026-6782 [HIGH] CWE-200 CVE-2026-6782: Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 a
Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6766HIGHCVSS 7.5fixed in 140.10.02026-04-21
CVE-2026-6766 [HIGH] CWE-754 CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Fir
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6761HIGHCVSS 8.8fixed in 140.10.02026-04-21
CVE-2026-6761 [HIGH] CWE-269 CVE-2026-6761: Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firef
Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6753HIGHCVSS 7.3≥ 140.0, < 140.10.02026-04-21
CVE-2026-6753 [HIGH] CWE-119 CVE-2026-6753: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150,
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6784HIGHCVSS 7.5fixed in 150.02026-04-21
CVE-2026-6784 [HIGH] CWE-125 CVE-2026-6784: Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of
Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6772HIGHCVSS 7.5fixed in 140.10.02026-04-21
CVE-2026-6772 [HIGH] CWE-754 CVE-2026-6772: Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Fir
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6781HIGHCVSS 7.5fixed in 150.02026-04-21
CVE-2026-6781 [HIGH] CWE-400 CVE-2026-6781: Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 15
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6749HIGHCVSS 7.5fixed in 140.10.02026-04-21
CVE-2026-6749 [HIGH] CWE-908 CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnera
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6750HIGHCVSS 8.8fixed in 140.10.02026-04-21
CVE-2026-6750 [HIGH] CWE-269 CVE-2026-6750: Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 1
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6746HIGHCVSS 7.5fixed in 140.10.02026-04-21
CVE-2026-6746 [HIGH] CWE-416 CVE-2026-6746: Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firef
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-22020HIGHCVSS 7.12026-04-21
CVE-2026-22020 [HIGH] CWE-787 openjdk: libpng: OpenJDK: Update LibPNG (Oracle CPU 2026-04)
openjdk: libpng: OpenJDK: Update LibPNG (Oracle CPU 2026-04)
No description is available for this CVE.
Package: java-11-openjdk (Red Hat build of OpenJDK 11 ELS) - Affected
Package: java-11-openjdk-portable (Red Hat build of OpenJDK 11 ELS) - Affected
Package: java-11-openjdk-windows (Red Hat build of OpenJDK 11 ELS) - Affected
Package: java-17-openjdk-portable (Red Hat build of OpenJDK 17) - Affected
redhat
CVE-2026-6776HIGHCVSS 7.8fixed in 140.10.02026-04-21
CVE-2026-6776 [HIGH] CWE-119 CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in F
Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6780HIGHCVSS 7.5fixed in 150.02026-04-21
CVE-2026-6780 [HIGH] CWE-400 CVE-2026-6780: Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 15
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6773HIGHCVSS 7.5fixed in 150.02026-04-21
CVE-2026-6773 [HIGH] CWE-190 CVE-2026-6773: Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was
Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6751HIGHCVSS 7.3≥ 140.0, < 140.10.02026-04-21
CVE-2026-6751 [HIGH] CWE-457 CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firef
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6758HIGHCVSS 7.5fixed in 150.02026-04-21
CVE-2026-6758 [HIGH] CWE-416 CVE-2026-6758: Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6769HIGHCVSS 8.8fixed in 140.10.02026-04-21
CVE-2026-6769 [HIGH] CWE-269 CVE-2026-6769: Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150, Firefox
Privilege escalation in the Debugger component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6754HIGHCVSS 7.5fixed in 140.10.02026-04-21
CVE-2026-6754 [HIGH] CWE-416 CVE-2026-6754: Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Fire
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla