Mozilla Thunderbird vulnerabilities
1,818 known vulnerabilities affecting mozilla/thunderbird.
Total CVEs
1,818
CISA KEV
14
actively exploited
Public exploits
56
Exploited in wild
18
Severity breakdown
CRITICAL612HIGH551MEDIUM626LOW29
Vulnerabilities
Page 6 of 91
CVE-2026-0877HIGHCVSS 8.1fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0877 [HIGH] CWE-693 CVE-2026-0877: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firef
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0878HIGHCVSS 8.0fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0878 [HIGH] CWE-20 CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vul
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0889HIGHCVSS 7.5fixed in 147.02026-01-13
CVE-2026-0889 [HIGH] CWE-400 CVE-2026-0889: Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147
Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
nvd
CVE-2026-0891HIGHCVSS 8.1fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0891 [HIGH] CWE-119 CVE-2026-0891: Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderb
nvdosv
CVE-2026-0882HIGHCVSS 8.8fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0882 [HIGH] CWE-416 CVE-2026-0882: Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0880HIGHCVSS 8.8fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0880 [HIGH] CWE-190 CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Fi
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0890MEDIUMCVSS 5.4fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0890 [MEDIUM] CWE-290 CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in F
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0886MEDIUMCVSS 5.3fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0886 [MEDIUM] CWE-119 CVE-2026-0886: Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0885MEDIUMCVSS 6.5fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0885 [MEDIUM] CWE-416 CVE-2026-0885: Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0887MEDIUMCVSS 4.3fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0887 [MEDIUM] CWE-497 CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2026-0888MEDIUMCVSS 5.3fixed in 147.02026-01-13
CVE-2026-0888 [MEDIUM] CWE-200 CVE-2026-0888: Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunder
Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
nvd
CVE-2026-0883MEDIUMCVSS 5.3fixed in 140.7.0fixed in 147.02026-01-13
CVE-2026-0883 [MEDIUM] CWE-200 CVE-2026-0883: Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Fir
Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
nvdosv
CVE-2025-14324CRITICALCVSS 9.8fixed in 140.6.0fixed in 146.02025-12-09
CVE-2025-14324 [CRITICAL] CWE-94 CVE-2025-14324: JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
nvdosv
CVE-2025-14326CRITICALCVSS 9.8fixed in 146.02025-12-09
CVE-2025-14326 [CRITICAL] CWE-416 CVE-2025-14326: Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Th
Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Thunderbird 146.
nvd
CVE-2025-14330CRITICALCVSS 9.8fixed in 140.6.0fixed in 146.02025-12-09
CVE-2025-14330 [CRITICAL] CWE-119 CVE-2025-14330: JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
nvdosv
CVE-2025-14321CRITICALCVSS 9.8fixed in 140.6.0fixed in 146.02025-12-09
CVE-2025-14321 [CRITICAL] CWE-416 CVE-2025-14321: Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Fire
Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
nvdosv
CVE-2025-14328HIGHCVSS 8.8fixed in 140.6.0fixed in 146.02025-12-09
CVE-2025-14328 [HIGH] CVE-2025-14328: Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firef
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
nvdosv
CVE-2025-14327HIGHCVSS 7.5fixed in 146.02025-12-09
CVE-2025-14327 [HIGH] CWE-290 CVE-2025-14327: Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunde
Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.
nvdosv
CVE-2025-14333HIGHCVSS 8.1fixed in 140.6.0fixed in 146.02025-12-09
CVE-2025-14333 [HIGH] CWE-787 CVE-2025-14333: Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunde
nvdosv
CVE-2025-14329HIGHCVSS 8.8fixed in 140.6.0fixed in 146.02025-12-09
CVE-2025-14329 [HIGH] CVE-2025-14329: Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firef
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
nvdosv