VulnerableCode Package Details - pkg:deb/debian/thunderbird@1:128.10.0esr-1~deb12u1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-as4y-nhw6-akfx	A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption.	CVE-2025-4087
VCID-b3rg-quvp-2uha	A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.	CVE-2025-4083
VCID-dp5j-4mzw-pqer	Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.	CVE-2025-4093
VCID-gph4-xa9p-73fr	Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	CVE-2025-4091
VCID-jyns-kqp9-4ygh	By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well.	CVE-2025-2830
VCID-n9jq-77ud-v7c9	When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.	CVE-2025-3523
VCID-rfve-tkv7-13dv	Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues.	CVE-2025-3522

Vulnerability

Summary

Aliases

VCID-as4y-nhw6-akfx

A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption.

CVE-2025-4087

VCID-b3rg-quvp-2uha

A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.

CVE-2025-4083

VCID-dp5j-4mzw-pqer

Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

CVE-2025-4093

VCID-gph4-xa9p-73fr

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-4091

VCID-jyns-kqp9-4ygh

By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well.

CVE-2025-2830

VCID-n9jq-77ud-v7c9

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.

CVE-2025-3523

VCID-rfve-tkv7-13dv

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues.

CVE-2025-3522

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:43:25.666728+00:00	Debian Importer	Fixing	VCID-gph4-xa9p-73fr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:14:28.698496+00:00	Debian Importer	Fixing	VCID-as4y-nhw6-akfx	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:01:01.968237+00:00	Debian Importer	Fixing	VCID-b3rg-quvp-2uha	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:53:24.844490+00:00	Debian Importer	Fixing	VCID-n9jq-77ud-v7c9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:50:31.843668+00:00	Debian Importer	Fixing	VCID-dp5j-4mzw-pqer	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:31:29.280684+00:00	Debian Importer	Fixing	VCID-jyns-kqp9-4ygh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:51:03.452337+00:00	Debian Importer	Fixing	VCID-rfve-tkv7-13dv	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:43:26.438517+00:00	Debian Importer	Fixing	VCID-gph4-xa9p-73fr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:10:25.164686+00:00	Debian Importer	Fixing	VCID-b3rg-quvp-2uha	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:54:12.692610+00:00	Debian Importer	Fixing	VCID-as4y-nhw6-akfx	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:36:59.001026+00:00	Debian Importer	Fixing	VCID-n9jq-77ud-v7c9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:34:44.298281+00:00	Debian Importer	Fixing	VCID-dp5j-4mzw-pqer	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:21:03.769837+00:00	Debian Importer	Fixing	VCID-jyns-kqp9-4ygh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:56:42.057628+00:00	Debian Importer	Fixing	VCID-rfve-tkv7-13dv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:54:56.372358+00:00	Debian Importer	Fixing	VCID-dp5j-4mzw-pqer	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:56.316510+00:00	Debian Importer	Fixing	VCID-gph4-xa9p-73fr	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:56.260194+00:00	Debian Importer	Fixing	VCID-as4y-nhw6-akfx	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:56.160177+00:00	Debian Importer	Fixing	VCID-b3rg-quvp-2uha	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:55.890213+00:00	Debian Importer	Fixing	VCID-n9jq-77ud-v7c9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:55.834317+00:00	Debian Importer	Fixing	VCID-rfve-tkv7-13dv	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:55.605044+00:00	Debian Importer	Fixing	VCID-jyns-kqp9-4ygh	https://security-tracker.debian.org/tracker/data/json	38.1.0