VulnerableCode Package Details - pkg:deb/debian/thunderbird@1:128.13.0esr-1~deb11u1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-43nm-4qjy-vfgj	On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.	CVE-2025-8028
VCID-4byg-5gy3-kkff	The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.	CVE-2025-8031
VCID-ffd7-y29n-6fan	XSLT document loading did not correctly propagate the source document which bypassed its CSP.	CVE-2025-8032
VCID-jm7w-hqzq-tqde	Thunderbird executed javascript: URLs when used in object and embed tags.	CVE-2025-8029
VCID-psc3-4ssv-wyb5	On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.	CVE-2025-8027
VCID-q9f4-zumy-wbfy	Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	CVE-2025-8034
VCID-qz95-5z9e-7qb7	The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.	CVE-2025-8033
VCID-vcnn-u8k9-8ubs	Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	CVE-2025-8035
VCID-yfwd-x224-3qe6	Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code.	CVE-2025-8030

Vulnerability

Summary

Aliases

VCID-43nm-4qjy-vfgj

On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.

CVE-2025-8028

VCID-4byg-5gy3-kkff

The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.

CVE-2025-8031

VCID-ffd7-y29n-6fan

XSLT document loading did not correctly propagate the source document which bypassed its CSP.

CVE-2025-8032

VCID-jm7w-hqzq-tqde

Thunderbird executed javascript: URLs when used in object and embed tags.

CVE-2025-8029

VCID-psc3-4ssv-wyb5

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.

CVE-2025-8027

VCID-q9f4-zumy-wbfy

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-8034

VCID-qz95-5z9e-7qb7

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.

CVE-2025-8033

VCID-vcnn-u8k9-8ubs

Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2025-8035

VCID-yfwd-x224-3qe6

Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code.

CVE-2025-8030

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:44:30.110039+00:00	Debian Importer	Fixing	VCID-q9f4-zumy-wbfy	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:20:00.233402+00:00	Debian Importer	Fixing	VCID-jm7w-hqzq-tqde	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:50:32.134790+00:00	Debian Importer	Fixing	VCID-ffd7-y29n-6fan	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:22:53.174021+00:00	Debian Importer	Fixing	VCID-yfwd-x224-3qe6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:13:41.503805+00:00	Debian Importer	Fixing	VCID-43nm-4qjy-vfgj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:01:21.844494+00:00	Debian Importer	Fixing	VCID-psc3-4ssv-wyb5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:51:37.008296+00:00	Debian Importer	Fixing	VCID-vcnn-u8k9-8ubs	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:49:28.587132+00:00	Debian Importer	Fixing	VCID-4byg-5gy3-kkff	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:43:15.421956+00:00	Debian Importer	Fixing	VCID-qz95-5z9e-7qb7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:13:40.418911+00:00	Debian Importer	Fixing	VCID-yfwd-x224-3qe6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:49:59.941656+00:00	Debian Importer	Fixing	VCID-q9f4-zumy-wbfy	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:49:15.922422+00:00	Debian Importer	Fixing	VCID-43nm-4qjy-vfgj	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:42:47.879943+00:00	Debian Importer	Fixing	VCID-jm7w-hqzq-tqde	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:21:08.588335+00:00	Debian Importer	Fixing	VCID-qz95-5z9e-7qb7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:20:25.972079+00:00	Debian Importer	Fixing	VCID-ffd7-y29n-6fan	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:43:15.050638+00:00	Debian Importer	Fixing	VCID-psc3-4ssv-wyb5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:42:50.891640+00:00	Debian Importer	Fixing	VCID-4byg-5gy3-kkff	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:35:33.082033+00:00	Debian Importer	Fixing	VCID-vcnn-u8k9-8ubs	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:54:57.837054+00:00	Debian Importer	Fixing	VCID-vcnn-u8k9-8ubs	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.780474+00:00	Debian Importer	Fixing	VCID-q9f4-zumy-wbfy	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.723514+00:00	Debian Importer	Fixing	VCID-qz95-5z9e-7qb7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.667090+00:00	Debian Importer	Fixing	VCID-ffd7-y29n-6fan	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.610289+00:00	Debian Importer	Fixing	VCID-4byg-5gy3-kkff	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.554746+00:00	Debian Importer	Fixing	VCID-yfwd-x224-3qe6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.498913+00:00	Debian Importer	Fixing	VCID-jm7w-hqzq-tqde	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.442748+00:00	Debian Importer	Fixing	VCID-43nm-4qjy-vfgj	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:54:57.385699+00:00	Debian Importer	Fixing	VCID-psc3-4ssv-wyb5	https://security-tracker.debian.org/tracker/data/json	38.1.0