Mozilla Thunderbird vulnerabilities
1,918 known vulnerabilities affecting mozilla/thunderbird.
Total CVEs
1,918
CISA KEV
14
actively exploited
Public exploits
59
Exploited in wild
18
Severity breakdown
CRITICAL625HIGH610MEDIUM652LOW31
Vulnerabilities
Page 5 of 96
CVE-2026-6747HIGHCVSS 7.5fixed in 140.10.02026-04-21
CVE-2026-6747 [HIGH] CWE-416 CVE-2026-6747: Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140
Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6759HIGHCVSS 7.5≥ 140.0, < 140.10.02026-04-21
CVE-2026-6759 [HIGH] CWE-416 CVE-2026-6759: Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6763MEDIUMCVSS 6.5≥ 140.0, < 140.10.02026-04-21
CVE-2026-6763 [MEDIUM] CWE-693 CVE-2026-6763: Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firef
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6757MEDIUMCVSS 6.3≥ 140.0, < 140.10.02026-04-21
CVE-2026-6757 [MEDIUM] CWE-824 CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 15
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6762MEDIUMCVSS 6.3≥ 140.0, < 140.10.02026-04-21
CVE-2026-6762 [MEDIUM] CWE-290 CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firef
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6778MEDIUMCVSS 5.3fixed in 150.02026-04-21
CVE-2026-6778 [MEDIUM] CWE-476 CVE-2026-6778: Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150
Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6775MEDIUMCVSS 5.3fixed in 150.02026-04-21
CVE-2026-6775 [MEDIUM] CWE-119 CVE-2026-6775: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 a
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6765MEDIUMCVSS 5.3fixed in 140.10.02026-04-21
CVE-2026-6765 [MEDIUM] CWE-359 CVE-2026-6765: Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150,
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6774MEDIUMCVSS 5.4fixed in 150.02026-04-21
CVE-2026-6774 [MEDIUM] CWE-693 CVE-2026-6774: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Th
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6755MEDIUMCVSS 6.5fixed in 150.02026-04-21
CVE-2026-6755 [MEDIUM] CWE-352 CVE-2026-6755: Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and
Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6770MEDIUMCVSS 6.5fixed in 140.10.02026-04-21
CVE-2026-6770 [MEDIUM] CWE-200 CVE-2026-6770: Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefo
Other issue in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6779MEDIUMCVSS 5.3fixed in 150.02026-04-21
CVE-2026-6779 [MEDIUM] CWE-20 CVE-2026-6779: Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thun
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6764MEDIUMCVSS 6.5≥ 140.0, < 140.10.02026-04-21
CVE-2026-6764 [MEDIUM] CWE-119 CVE-2026-6764: Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6783MEDIUMCVSS 5.3fixed in 150.02026-04-21
CVE-2026-6783 [MEDIUM] CWE-190 CVE-2026-6783: Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnera
Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6767MEDIUMCVSS 5.3≥ 140.0, < 140.10.02026-04-21
CVE-2026-6767 [MEDIUM] CWE-119 CVE-2026-6767: Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox
Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
nvdmozilla
CVE-2026-6777MEDIUMCVSS 5.3fixed in 150.02026-04-21
CVE-2026-6777 [MEDIUM] CWE-20 CVE-2026-6777: Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunde
Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
nvdmozilla
CVE-2026-6654MEDIUMCVSS 5.12026-04-20
CVE-2026-6654 [MEDIUM] CWE-1341 thin-vec: mozilla/thin-vec: Memory corruption vulnerability via Double-Free/Use-After-Free
thin-vec: mozilla/thin-vec: Memory corruption vulnerability via Double-Free/Use-After-Free
A flaw was found in the `thin_vec` component of `mozilla/thin-vec`. This vulnerability involves a memory management error known as a Double-Free/Use-After-Free (UAF), which occurs in the `IntoIter::drop` and `ThinVec::clear` functions. When a specific error condition (a panic in `ptr:
redhat
CVE-2026-5734CRITICALCVSS 9.8fixed in 140.9.1fixed in 149.0.22026-04-07
CVE-2026-5734 [CRITICAL] CWE-787 CVE-2026-5734: Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thun
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunde
nvd
CVE-2026-5735CRITICALCVSS 9.8fixed in 149.0.22026-04-07
CVE-2026-5735 [CRITICAL] CWE-787 CVE-2026-5735: Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evi
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
nvd
CVE-2026-4701CRITICALCVSS 9.8≥ 0, < 1:140.9.0esr-1~deb11u1≥ 0, < 1:140.9.0esr-1~deb12u1+2 more2026-03-24
CVE-2026-4701 [CRITICAL] CVE-2026-4701: Use-after-free in the JavaScript Engine component
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
osv