Search for packages
| purl | pkg:deb/debian/thunderbird@1:140.9.0esr-1?distro=trixie |
| Next non-vulnerable version | 1:140.9.1esr-1~deb11u1 |
| Latest non-vulnerable version | 1:140.9.1esr-1 |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5dw5-vpt8-zqbz
Aliases: CVE-2026-5731 |
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9ag7-z86d-nba9
Aliases: CVE-2026-5734 |
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qbzp-euvv-q7c7
Aliases: CVE-2026-5732 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-11pv-s4za-tbch | A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions. |
CVE-2024-4768
|
| VCID-135c-h34e-tye5 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-40957
|
| VCID-13he-qsr4-h3d4 | Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4709
|
| VCID-13hn-7fbd-mfhq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1553
|
| VCID-14gr-rfym-5yha | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6463
|
| VCID-15j8-br8z-juf3 | Spoofing issue in Thunderbird. This vulnerability affects Thunderbird < 149 and Thunderbird < 140.9. |
CVE-2026-3889
|
| VCID-16q2-yvfb-u3br | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11717
|
| VCID-16ta-j6p4-afgn | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6794
|
| VCID-17tt-jftn-m3bd | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31737
|
| VCID-18my-61hh-n3gb | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1934
|
| VCID-19r2-4svk-uydr | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4578
|
| VCID-1a64-m2w1-hkhs | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6814
|
| VCID-1bwt-pf55-7ubd | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3808
|
| VCID-1dkk-86db-s3ch | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5168
|
| VCID-1e61-jk2b-aubw | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23994
|
| VCID-1erb-xc8r-8kfm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26384
|
| VCID-1frd-d76n-13fm | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26965
|
| VCID-1fv1-edht-ufag | Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4715
|
| VCID-1gbp-dg93-wud9 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5129
|
| VCID-1h5k-e7nm-uyc9 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-3417
|
| VCID-1hak-cqnh-tqay | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45406
|
| VCID-1hay-xe3q-gyb4 | Use-after-free in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2789
|
| VCID-1jqj-tqfp-73f7 | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14325
|
| VCID-1jvh-anus-rfeg | When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. |
CVE-2022-3034
|
| VCID-1mm2-4b1k-afat | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') The olm_session_describe function in Matrix libolm is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web. |
CVE-2021-44538
|
| VCID-1phe-59fw-9qdt | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22739
|
| VCID-1q54-juu2-xbat | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15683
|
| VCID-1rj3-tt63-4yc1 | Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. |
CVE-2021-38497
|
| VCID-1ryc-yvxd-93e2 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43529
|
| VCID-1s5n-6p4c-q3ds | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12417
|
| VCID-1u8u-pnq3-t7ae | Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2757
|
| VCID-1v2s-g46y-ybdc | Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2026-2792
|
| VCID-1vpc-vfey-qkb6 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25732
|
| VCID-1x4b-p9es-u7fj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11705
|
| VCID-1xcg-n9k4-tqc4 | A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. |
CVE-2025-1011
|
| VCID-1z5d-4wfm-8yfk | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9396
|
| VCID-1zf8-qjts-9fbc | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11704
|
| VCID-23eu-22t2-cydd | Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4714
|
| VCID-23mb-npay-uqaq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6793
|
| VCID-2648-ggwp-cyfv | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25735
|
| VCID-26d3-ctnj-7kbh | Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4691
|
| VCID-27hw-egkx-w7d4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-1529
|
| VCID-289s-f2w6-53g9 | Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4716
|
| VCID-2a5d-8cac-mkft | A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code.*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.* |
CVE-2023-29542
|
| VCID-2cd3-m37k-5ydh | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29946
|
| VCID-2ejc-7bd5-qkbf | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-3028
|
| VCID-2j6k-5q8j-3fbc | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which arbitrary code execution. |
CVE-2024-9680
|
| VCID-2k99-39yt-gkbe | During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. |
CVE-2021-38496
|
| VCID-2khw-6pqe-n3f2 | Several vulnerabilities in Mozilla Thunderbird allow cross site scripting, JavaScript privilege escalation and possibly execution of arbitrary code. |
CVE-2006-2781
|
| VCID-2pvz-3cmq-53dk | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7519
|
| VCID-2s85-r5tn-wucn | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31741
|
| VCID-2syj-hbw7-fkbp | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29988
|
| VCID-2tts-gwgd-zqcz | A vulnerability has been discovered in NSS, which can lead to the recovery of private data. |
CVE-2023-5388
|
| VCID-2vyc-yhw7-muea | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43546
|
| VCID-2xk4-1b82-p3ft | Dynamically changing the style of an element from position:relative to position:static can cause Gecko to operate on freed memory. It may be possible to exploit this in order to run arbitrary code.This flaw was introduced during Firefox 1.5 and SeaMonkey 1.0 development and does not affect Firefox 1.0 or the Mozilla Suite 1.7Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration.Update (13 April 2006) This flaw has been fixed in Thunderbird 1.5.0.2 |
CVE-2006-0294
|
| VCID-2xza-hhmr-5ybw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7826
|
| VCID-2z7p-2uj3-2qfb | If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thread and any worker threads. *Note: users need to update to macOS 10.14.5 in order to take advantage of this change.* |
CVE-2019-9815
|
| VCID-2zdh-azdw-tuav | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-2609
|
| VCID-32pc-j3he-pffx | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4055
|
| VCID-351y-4nek-u3aw | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4698
|
| VCID-358q-cakg-h7h4 | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3803
|
| VCID-362f-1bn1-mbg5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46882
|
| VCID-37ud-wx7n-mqhs | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-42927
|
| VCID-38j9-cugr-abc9 | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-35113
|
| VCID-3ayf-d2s1-67ff | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8382
|
| VCID-3gmj-y8qd-ufej | Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2787
|
| VCID-3grf-hwk1-3fh8 | Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4719
|
| VCID-3kd3-hwzv-efbn | Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2026-4721
|
| VCID-3nzs-5tgj-q3hw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23964
|
| VCID-3p7d-8qjd-kyd5 | An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited. |
CVE-2021-4127
|
| VCID-3pvs-3ppc-r7a5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-3857
|
| VCID-3qfb-sxha-v3cw | Same-origin policy bypass in the Layout component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. |
CVE-2025-10529
|
| VCID-3rn4-418d-vqd5 | Calling the QueryInterface method of the built-in Location and Navigator objects causes memory corruption that might be exploitable to run arbitrary code.This flaw appears to have been introduced during development of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older Mozilla Suite 1.7 do not appear to be vulnerable.Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration.Update (7 February 2006) H D Moore of the Metasploit Project published a working exploit on milw0rm for the Linux and Mac OS X versions of Firefox 1.5. Severity upgraded to critical.Update (13 April 2006) This flaw has been fixed in Thunderbird 1.5.0.2 |
CVE-2006-0295
|
| VCID-3sg3-9yx7-fufa | Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2790
|
| VCID-3sjh-f264-m3g7 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8387
|
| VCID-3smq-ax5u-ryd3 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-17012
|
| VCID-3tmg-yvx8-5kdt | If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. |
CVE-2021-23991
|
| VCID-3ux5-gp3e-2udq | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15669
|
| VCID-3v78-2fyv-tqht | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12385
|
| VCID-3vbp-2h4f-7bav | A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. |
CVE-2024-2611
|
| VCID-3xgu-7evz-mffw | Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4705
|
| VCID-3yea-3gw6-xkcb | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-35111
|
| VCID-3zwq-1hwc-3fgj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29976
|
| VCID-41g2-dvb2-yqhg | Memory safety bugs present in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2024-2614
|
| VCID-41zd-qkbf-bucq | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5187
|
| VCID-436x-mrs7-q3gk | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26960
|
| VCID-43dj-vtap-2qd2 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32206
|
| VCID-43nm-4qjy-vfgj | On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. |
CVE-2025-8028
|
| VCID-46ay-rbbm-gqec | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-0884
|
| VCID-46cy-x3cp-tke5 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0743
|
| VCID-4bw1-v6ze-kbds | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13018
|
| VCID-4byg-5gy3-kkff | The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. |
CVE-2025-8031
|
| VCID-4c3c-ygt3-kbg5 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2020-6797
|
| VCID-4ewq-72xf-rfhq | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12371
|
| VCID-4f4y-p7h8-dygq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5728
|
| VCID-4g7u-xmdq-mkdn | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14328
|
| VCID-4gsx-puz4-a3f1 | Use-after-free in MediaTrackGraphImpl::GetInstance() |
CVE-2025-11708
|
| VCID-4kd3-95cm-g3fc | Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13019
|
| VCID-4kmx-pfby-hfbn | Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. |
CVE-2024-11159
|
| VCID-4m2d-td6c-ukd4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-40958
|
| VCID-4nqf-nxkj-x3g4 | GetBoundName could return the wrong version of an object when JIT optimizations were applied. |
CVE-2024-3852
|
| VCID-4q6h-ac7c-6fav | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-42928
|
| VCID-4q6w-tdk9-d3an | Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2026-4720
|
| VCID-4r8e-64b6-bbbu | Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4711
|
| VCID-4sv2-j8zg-xkhf | When running, the updater service wrote status and log files to an unrestricted location; potentially allowing an unprivileged process to locate and exploit a vulnerability in file handling in the updater service. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* |
CVE-2019-17009
|
| VCID-4vps-3cxv-xyd5 | On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as .url by including an invalid character in the extension. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. |
CVE-2024-5692
|
| VCID-4vt1-q4wj-87bm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29980
|
| VCID-4xqc-36jb-63c2 | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2786
|
| VCID-4yvm-d9qr-ebaw | Multiple vulnerabilities have been discovered in NSS, the worst of which could result in arbitrary code execution. |
CVE-2022-1097
|
| VCID-4z8m-8jr8-pqh6 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32212
|
| VCID-4zjw-4gjw-pqh1 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0242
|
| VCID-51jr-5fzq-hbav | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23969
|
| VCID-51na-65q7-mqd1 | Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. |
CVE-2021-29950
|
| VCID-52ha-qvpu-ruc8 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-37208
|
| VCID-5666-pp89-aqc2 | The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.*Note: this issue only affects Firefox on Windows operating systems.* |
CVE-2020-12393
|
| VCID-58fz-pp5t-8ybz | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1731
|
| VCID-59up-n66e-fyhx | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-28281
|
| VCID-59wd-mtjt-4ban | Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-11714
|
| VCID-5aga-y5nk-5fha | A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would processing incorrectly, leading to an out-of-bounds read. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* |
CVE-2021-29964
|
| VCID-5c1p-6gjw-wkgx | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-12391
|
| VCID-5ept-fu7g-8kes | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2780
|
| VCID-5f8u-kf14-tkah | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31738
|
| VCID-5fnn-ru3z-f3dt | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11712
|
| VCID-5hzf-gdbj-8ud8 | Double Free There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. |
CVE-2023-1999
|
| VCID-5j6z-g7gt-qyea | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11694
|
| VCID-5j76-pxh2-ubhd | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-1520
|
| VCID-5kwn-x8e4-ukgq | Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-14333
|
| VCID-5pf4-9k7e-hbee | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-16042
|
| VCID-5qap-6r9b-6qbv | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38493
|
| VCID-5qf5-d44c-t7gu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6862
|
| VCID-5rhb-8wbf-kyfu | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6822
|
| VCID-5srb-q1nd-1qfh | A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. *Note: This attack only affects Windows operating systems. Other operating systems are unaffected.* |
CVE-2017-7845
|
| VCID-5utj-ddpa-17gq | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26974
|
| VCID-5wr5-pbq3-ukeu | Georgi Guninski reports integer overflows in the new E4X, SVG, and Canvas features. These lead to memory corruption that is potentially exploitable to run arbitrary code.These flaws were introduced during Firefox 1.5 and SeaMonkey 1.0 development and do not affect Firefox 1.0 or the Mozilla Suite 1.7Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration.Update (13 April 2006) This flaw has been fixed in Thunderbird 1.5.0.2 |
CVE-2006-0297
|
| VCID-5zmj-5xkc-zkgc | A vulnerability exists in the Windows sandbox where an uninitialized value in memory can be leaked to a renderer from a broker when making a call to access an otherwise unavailable file. This results in the potential leaking of information stored at that memory location. *Note: this issue only occurs on Windows. Other operating systems are unaffected.* |
CVE-2019-11694
|
| VCID-61fy-4yzm-uyhu | If an attacker intercepts Thunderbird's initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker. |
CVE-2020-15646
|
| VCID-62zr-8w1c-bydt | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8394
|
| VCID-646f-ndeq-5bee | Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4687
|
| VCID-65mp-nvc7-6kff | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18356
|
| VCID-65u5-n4mu-dqd2 | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1728
|
| VCID-66dg-7sm8-vbgx | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29970
|
| VCID-66z1-8zeg-9qh1 | Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. |
CVE-2025-10528
|
| VCID-675n-7uzz-pqdj | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4688
|
| VCID-697p-cpq8-1qax | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32205
|
| VCID-6atn-q8xc-6fdr | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23978
|
| VCID-6b6h-x2km-u7fb | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1549
|
| VCID-6bbw-b3rx-a7hj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10462
|
| VCID-6cx1-8t9m-u3av | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0886
|
| VCID-6dgw-qbue-nqax | If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. |
CVE-2022-3033
|
| VCID-6ds2-ff5c-eqf3 | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1739
|
| VCID-6f7n-yr9x-8fbw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22751
|
| VCID-6fkp-5fzu-fydp | Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2021-38500
|
| VCID-6fsa-bnes-tkff | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2765
|
| VCID-6h7s-a74e-33c1 | Mozilla developer Anne van Kesteren discovered that <iframe sandbox> with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. |
CVE-2020-15653
|
| VCID-6j2f-jjzf-tbdd | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6820
|
| VCID-6jw1-pere-ruee | Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-11715
|
| VCID-6mur-mtfg-97gt | A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. |
CVE-2026-4371
|
| VCID-6nhk-apgd-h7gh | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-18498
|
| VCID-6s88-vfr8-u3hj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4585
|
| VCID-6szy-r2cd-9kfw | matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal ### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html |
CVE-2024-50336
GHSA-xvg8-m4x3-w6xr |
| VCID-6tm9-1vsh-1qa3 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4047
|
| VCID-6xpr-2dcd-9qff | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4570
|
| VCID-6zjy-1agk-nbd9 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5174
|
| VCID-72hn-2x6h-tbde | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12421
|
| VCID-72wd-b7rj-3fda | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3810
|
| VCID-73wu-d7y3-7bge | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-1945
|
| VCID-7458-uqdr-5fg7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43541
|
| VCID-74zp-pzc4-efhm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38495
|
| VCID-754j-7erb-z7ae | Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. |
CVE-2025-2817
|
| VCID-75fd-w925-4qh4 | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15676
|
| VCID-75sb-xb3r-3fa8 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4573
|
| VCID-77u8-v9gs-sfca | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25728
|
| VCID-77xm-mea8-n3ec | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12393
|
| VCID-77y6-jskt-qucb | libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. |
CVE-2025-59375
|
| VCID-782n-nc6m-13ec | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1551
|
| VCID-7939-5qcd-tqgg | Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* |
CVE-2025-4082
|
| VCID-7acy-1dnk-pkcq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31747
|
| VCID-7b8k-mgs3-cud5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29550
|
| VCID-7ej9-whhw-97hn | A vulnerability where a JavaScript compartment mismatch can occur while working with the fetch API, resulting in a potentially exploitable crash. |
CVE-2019-9819
|
| VCID-7eu3-hxbk-8fd7 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1935
|
| VCID-7fvy-7hpe-kbej | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38492
|
| VCID-7hkk-2k6p-vyc7 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2019-17024
|
| VCID-7hu9-yxju-9bae | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5099
|
| VCID-7krh-czjm-4ufx | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26978
|
| VCID-7ksf-b6g3-ukcc | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5155
|
| VCID-7p9y-82kb-r7h3 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34472
|
| VCID-7q66-66b2-kucc | Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. |
CVE-2025-5266
|
| VCID-7sbd-1n7f-ryed | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4057
|
| VCID-7t2x-pksm-ubgy | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45416
|
| VCID-7tj1-s8bv-e7hv | Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. |
CVE-2021-23992
|
| VCID-7u5b-uzd5-7kdc | Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* |
CVE-2024-11691
|
| VCID-7v6j-9uuc-qkc8 | An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. |
CVE-2025-4919
|
| VCID-7vfx-u76f-ubet | By tricking the browser with a X-Frame-Options header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. |
CVE-2024-5691
|
| VCID-7vk4-9vwa-pbe9 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45418
|
| VCID-7wac-zu58-5kgj | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6825
|
| VCID-7wmw-hpfw-vuaa | Sandbox escape in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2761
|
| VCID-7wvh-upas-2bgh | An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. |
CVE-2024-9394
|
| VCID-7x5h-kej1-e3ef | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0751
|
| VCID-7yw2-2r4n-rugg | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9790
|
| VCID-7zqn-1txc-r3d2 | When saving a page to PDF, certain font styles could have led to a potential use-after-free crash. |
CVE-2024-4770
|
| VCID-83xt-ng2x-zugv | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26953
|
| VCID-84jf-84jx-3fgj | Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14323
|
| VCID-86mg-qy53-pyc3 | As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. |
CVE-2006-1531
|
| VCID-878b-mn4w-wkg4 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4049
|
| VCID-87mf-fznn-m3gy | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6205
|
| VCID-89es-k3ja-1be1 | PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF ### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645 |
CVE-2024-4367
GHSA-wgrm-67xf-hhpq |
| VCID-89kx-fdvr-73cs | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22754
|
| VCID-89t2-wzrw-nycq | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12362
|
| VCID-8cv4-kvfj-4uek | Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. |
CVE-2019-11758
|
| VCID-8dgu-ppan-9ub2 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4048
|
| VCID-8enx-7aa9-cqd3 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22737
|
| VCID-8ffc-g2p2-xfax | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3801
|
| VCID-8fny-dsut-7ba3 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5171
|
| VCID-8fu2-5gxg-ekhy | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23961
|
| VCID-8gnk-vdur-9uet | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1734
|
| VCID-8hgj-7cb6-fbbp | A race condition is present in the crash generation server used to generate data for the crash reporter. This issue can lead to a use-after-free in the main process, resulting in a potentially exploitable crash and a sandbox escape. *Note: this vulnerability only affects Windows. Other operating systems are unaffected.* |
CVE-2019-9818
|
| VCID-8hm6-nz5h-yfcm | An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. |
CVE-2025-4918
|
| VCID-8hqw-tgvq-pucf | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12392
|
| VCID-8jzn-g96u-tudw | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26956
|
| VCID-8k1r-9djq-h3bh | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12390
|
| VCID-8k4z-rq29-mqg5 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11697
|
| VCID-8kgq-qhy6-e3c2 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-38476
|
| VCID-8m89-ma2u-5fgu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5730
|
| VCID-8q1b-fdq4-aqha | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45405
|
| VCID-8qtg-h4km-bfg2 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11719
|
| VCID-8qyy-e4jt-rbc4 | Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4695
|
| VCID-8s22-tw1u-7kbw | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45411
|
| VCID-8san-ze3j-dqdx | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-3030
|
| VCID-8sba-dejt-vqfp | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-3861
|
| VCID-8tmx-53k3-pbfj | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26961
|
| VCID-8u4y-zrhv-8fe9 | Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0887
|
| VCID-8uk6-x62z-uybr | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2022-2505
|
| VCID-8v6z-1ktm-jygr | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-23602
|
| VCID-8vka-qus2-tbhj | Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2. |
CVE-2026-2447
|
| VCID-8xek-k5y2-6bfp | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4689
|
| VCID-8ztk-5sbf-6kez | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15673
|
| VCID-8zy6-g8kn-hbdc | Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2775
|
| VCID-92qb-fqpr-27hm | A use-after-free vulnerability can occur in the chrome event handler when it is freed while still in use. This results in a potentially exploitable crash. |
CVE-2019-9820
|
| VCID-93au-w2zh-3yhg | Integer overflow in the SVG component. This vulnerability affects Firefox < 143, Firefox ESR < 115.28, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. |
CVE-2025-10533
|
| VCID-957q-jagj-9kg7 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7527
|
| VCID-95vw-esba-23a2 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1937
|
| VCID-962a-dwqf-3ycg | Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13016
|
| VCID-98mt-7srw-qfh4 | A vulnerability has been discovered in libvpx, which could lead to execution of arbitrary code. |
CVE-2025-5283
|
| VCID-98q2-wb23-y3b4 | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1741
|
| VCID-996p-a498-tycp | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-0749
|
| VCID-9c8c-d9u8-83bx | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6795
|
| VCID-9dpt-xfu6-cuh5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4580
|
| VCID-9e85-bdkj-zyf3 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25751
|
| VCID-9frw-jsb9-c7ge | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-0566
|
| VCID-9rm3-u7dy-zuhu | Same-origin policy bypass in the Graphics: Canvas2D component. |
CVE-2025-9180
|
| VCID-9tc4-qr6d-6kfu | When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work. |
CVE-2020-15654
|
| VCID-9tdt-84zg-3fd7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31742
|
| VCID-9the-k9nt-4bdg | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-34416
|
| VCID-9tkb-9fch-67bc | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-1802
|
| VCID-9tnj-j5xv-43cm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-36318
|
| VCID-9tnr-m8mg-3ffw | Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* |
CVE-2025-5265
|
| VCID-9u64-4cr7-w3e1 | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3677
|
| VCID-9y48-sjn7-rqeu | Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2021-38501
|
| VCID-9ym2-agp7-budj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-23601
|
| VCID-9z3s-qfbc-vbdc | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6859
|
| VCID-9zxb-j4ep-n7g9 | Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2791
|
| VCID-a2as-nfu2-ykax | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32214
|
| VCID-a2k9-85qx-u7cy | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9788
|
| VCID-a2nq-ss2f-bqac | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29917
|
| VCID-a2x3-x693-gqdf | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23984
|
| VCID-a5dv-qhc6-pqb5 | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1740
|
| VCID-a659-299u-byfb | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29986
|
| VCID-a6wm-rraf-gbh9 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6831
|
| VCID-a79m-8sp3-v3dh | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12360
|
| VCID-a7q5-uxwb-dfh9 | run-mozilla.sh in Thunderbird, with debugging enabled, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. |
CVE-2005-2353
|
| VCID-a8gt-y9j7-zuhs | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29548
|
| VCID-a8vw-n16x-duee | Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. |
CVE-2025-5264
|
| VCID-a96p-9hbb-fbaj | Certificate OCSP revocation status was not checked when verifying S/Mime signatures. Mail signed with a revoked certificate would be displayed as having a valid signature. Thunderbird versions from 68 to 102.7.0 were affected by this bug. |
CVE-2023-0430
|
| VCID-a98z-hwzc-wkcj | Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0882
|
| VCID-abh6-ejxb-k7be | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-0292
|
| VCID-abt2-6a7f-pfba | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-3864
|
| VCID-acgm-1xtc-mkdq | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1790
|
| VCID-adfd-zkn8-3fgd | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5156
|
| VCID-aemu-emvp-hkfh | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10460
|
| VCID-ag5p-n7es-v7gh | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-28176
|
| VCID-ag97-q79a-xbgb | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-23605
|
| VCID-ahzj-vepp-r3f4 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31744
|
| VCID-ajzf-jj8y-3ue3 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25729
|
| VCID-ak2m-xsvt-eqbs | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15652
|
| VCID-akhr-nck5-sfh2 | When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.This bug only affects Thunderbird for Windows. Other operating systems are unaffected.* |
CVE-2022-36314
|
| VCID-an3w-wb6n-zuee | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45410
|
| VCID-apes-5sa9-w7gd | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0755
|
| VCID-aquh-9cjg-wyey | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46877
|
| VCID-as4y-nhw6-akfx | A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. |
CVE-2025-4087
|
| VCID-as8g-vnyj-u7hk | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29539
|
| VCID-aufc-f7tk-h7hj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25746
|
| VCID-avgs-nz9j-gqg8 | On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. |
CVE-2025-1930
|
| VCID-awnf-jwg6-k3bk | Mozilla Developer Rob Wu discovered that a redirected HTTP request which is observed or modified through a web extension could bypass existing CORS checks, leading to potential disclosure of cross-origin information. |
CVE-2020-15655
|
| VCID-ax8a-z9s4-e3dk | A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.* |
CVE-2019-9794
|
| VCID-axtu-gujv-rfgk | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12410
|
| VCID-azdd-vdn3-kffy | Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2758
|
| VCID-b2py-tgw4-hqh8 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29948
|
| VCID-b3jt-7h5q-vqgd | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1546
|
| VCID-b3rg-quvp-2uha | A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. |
CVE-2025-4083
|
| VCID-b3zg-y242-xybq | If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox. |
CVE-2024-4767
|
| VCID-b4bq-q3ga-3ff1 | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4707
|
| VCID-b4fq-m97e-eybr | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12418
|
| VCID-b5jm-57h2-2qcs | JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2764
|
| VCID-b5t3-yqha-xyeq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2025-26696
|
| VCID-b5y9-qmw5-nkbv | If an attacker could find a way to trigger a particular code path in SafeRefPtr, it could have triggered a crash or potentially be leveraged to achieve code execution. |
CVE-2024-2612
|
| VCID-b67z-91x3-sug1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11764
|
| VCID-b6sf-z5tm-4uau | Use-after-free in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4696
|
| VCID-b6ug-rdyx-4uaw | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8900
|
| VCID-b8c2-qrxm-sybt | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38508
|
| VCID-b8dx-232z-qbbc | Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2779
|
| VCID-b8qk-zbj4-yfg2 | When setting a thread name on Windows in WebRTC, an incorrect number of arguments could have been supplied, leading to stack corruption and a potentially exploitable crash. *Note: this issue only occurs on Windows. Other operating systems are unaffected.* |
CVE-2019-13722
|
| VCID-b911-qnc2-x3aj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38509
|
| VCID-b9aw-u5wp-6uhk | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-5693
|
| VCID-bae9-9f51-wqac | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11760
|
| VCID-bapg-hzuc-ykby | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4575
|
| VCID-bc3c-kxdw-afh1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5185
|
| VCID-bc7q-srps-sfd7 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29541
|
| VCID-bccq-jn4j-8qd8 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2017-16541
|
| VCID-bd6g-ev4d-kyf6 | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18335
|
| VCID-bddb-ehm2-wqen | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18509
|
| VCID-bdu3-hre7-9uej | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4571
|
| VCID-bfdm-fkfv-nfch | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12365
|
| VCID-bjny-apx2-8ba1 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11695
|
| VCID-bm8j-1dxt-q3a8 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5103
|
| VCID-bpsj-5ap7-zuhq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5097
|
| VCID-bqyj-qnak-eydy | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43543
|
| VCID-bshu-jxhj-27b8 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-5700
|
| VCID-bsnh-1chq-z7ae | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9400
|
| VCID-buz6-pv1h-pkbx | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-12372
|
| VCID-bw96-5g6y-j3c4 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6860
|
| VCID-bwk4-hqx8-97dy | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10459
|
| VCID-bxrh-7kwf-p3at | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-40956
|
| VCID-byhb-42wc-xff5 | The implementation of E4X introduced an internal "AnyName" object which was unintentionally exposed to web content. This singleton object could be used by two cooperating domains as a communication channel to get around same-origin restrictions that prevent direct access from one window or frame to another. This could not be used to violate same-origin protection of another window's content, it was simply a mutually accessible storage spot. E4X was not supported in Firefox 1.0 or Mozilla 1.7Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration.Update (13 April 2006) This flaw has been fixed in Thunderbird 1.5.0.2 |
CVE-2006-0299
|
| VCID-bzgb-mdsk-yua6 | An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. |
CVE-2025-1009
|
| VCID-c4qs-a9kw-p3hc | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2019-17017
|
| VCID-c51s-yenc-4yab | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38504
|
| VCID-c52k-tg8d-sbeg | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-23599
|
| VCID-c5b5-beuj-z3gh | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-40959
|
| VCID-c6rx-p235-9bdz | Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-10537
|
| VCID-ccbk-bcjn-9ygr | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11740
|
| VCID-ce3x-bw1m-jyf4 | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18506
|
| VCID-cfqv-7r6b-g3e9 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4576
|
| VCID-cggq-6c2f-1qf4 | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2778
|
| VCID-cgvg-aj53-kkbp | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-0767
|
| VCID-ch3v-nq5w-3fg4 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-37202
|
| VCID-cj16-a2tv-cqd7 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4574
|
| VCID-ckth-a939-dydh | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11704
|
| VCID-cmnc-fyxb-rfd4 | An attacker could have caused an out of bounds memory access using WebGL APIs, leading to memory corruption and a potentially exploitable crash.*This bug only affects Firefox for macOS. Other operating systems are unaffected.* |
CVE-2023-29531
|
| VCID-cpez-x3zd-p7bu | Invalid pointer in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2785
|
| VCID-cqpd-wav4-pubn | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26381
|
| VCID-csm4-qspw-83da | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5188
|
| VCID-cw2e-p5x2-j7fu | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible. |
CVE-2022-36059
GHSA-rfv9-x7hh-xc32 |
| VCID-cx4p-6ywa-hbec | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12389
|
| VCID-cxdv-z3ev-z3ee | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29913
|
| VCID-cy4f-4pvz-23fh | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6792
|
| VCID-cypj-1jsu-cbh5 | Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-1016
|
| VCID-czjm-z1pe-jqby | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2020-26970
|
| VCID-d194-2uh4-pug1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22743
|
| VCID-d4bx-x9pb-8kfx | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5150
|
| VCID-d9vf-maye-6ff7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22745
|
| VCID-db28-rbyf-1qf4 | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14329
|
| VCID-dcjm-7xcr-ayew | Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-5268
|
| VCID-ddem-1dt1-uff7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38503
|
| VCID-ddwf-z514-hbbj | Information disclosure in the Networking: Cache component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. |
CVE-2025-10536
|
| VCID-dedv-96fb-vyhp | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29967
|
| VCID-deth-9krh-kufj | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0890
|
| VCID-dg61-9h8j-tkfj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29916
|
| VCID-dgwm-n1zx-qkbq | Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13012
|
| VCID-dh3c-g3k3-zkb7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7805
|
| VCID-dh5k-q87q-4qfs | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11696
|
| VCID-dhed-rfz6-ffe9 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26951
|
| VCID-dk34-s8e2-uya4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11703
|
| VCID-dp5j-4mzw-pqer | Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. |
CVE-2025-4093
|
| VCID-dqhd-ay8b-wfam | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31740
|
| VCID-drcd-xhd2-27hn | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9793
|
| VCID-ds2y-kn7q-vuct | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10464
|
| VCID-dsaw-xa6k-4yfw | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26968
|
| VCID-dtj3-7tjs-u3fy | Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward. |
CVE-2019-11739
|
| VCID-du2f-xvxg-4bbf | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11709
|
| VCID-dvd1-3gbf-d3gw | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3806
|
| VCID-dveb-sthz-bkgu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25738
|
| VCID-dwy5-7rms-rkg6 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-3155
|
| VCID-dxwp-5jfs-nuew | Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2778
|
| VCID-dydk-9hwf-4ka4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7793
|
| VCID-e2k8-m9sm-8uek | Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4699
|
| VCID-e36h-6n36-puht | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7814
|
| VCID-e38r-grgp-rfbn | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23998
|
| VCID-e4nx-qfam-cfaj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46872
|
| VCID-e6bs-vk6j-h3e6 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6206
|
| VCID-e7jk-vs8y-fyhr | Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13020
|
| VCID-e7p8-zrwx-5ug6 | A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions like pressing "Esc" or accessing right-click menus, resulting in a disrupted browsing experience until the browser is restarted. *This bug only affects the application when running on macOS. Other operating systems are unaffected.* |
CVE-2024-11698
|
| VCID-ea7p-189v-mqbq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29969
|
| VCID-ebhp-kzkz-euhu | Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. *This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.* |
CVE-2023-29545
|
| VCID-ebzs-h9p8-tbb4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7830
|
| VCID-eeny-3ab1-a3g3 | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1730
|
| VCID-efsu-6f8m-93en | The Mozilla Foundation has reported numerous vulnerabilities in Mozilla Firefox, including one that may allow execution of arbitrary code. |
CVE-2006-4569
|
| VCID-efvs-1tuf-guf4 | Information disclosure in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4712
|
| VCID-eget-cyhz-xbhr | Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in the arbitrary execution of code. |
CVE-2020-16044
|
| VCID-esw4-827s-u3f1 | When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. |
CVE-2024-4769
|
| VCID-eu3v-wzxr-pbd3 | Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets due to a bug in the Ribose RNP library used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user interface to hang. The issue was discovered using Google's oss-fuzz. |
CVE-2023-29479
|
| VCID-ewqm-puf8-hkbv | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5168
|
| VCID-ex1b-2rdy-7qhw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-17005
|
| VCID-eyrw-5dmv-pqfe | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22764
|
| VCID-ez2n-6egs-wqge | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5170
|
| VCID-f1zm-g4es-vfbz | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0239
|
| VCID-f2tn-1hq4-uffa | An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. |
CVE-2025-9179
|
| VCID-f3ws-d8fh-9ucz | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26959
|
| VCID-f4ja-2ydw-cufu | The executable file warning was not presented when downloading .library-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* |
CVE-2024-11693
|
| VCID-f4pn-vjxk-ybfx | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12379
|
| VCID-f4xy-kftc-mug2 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32207
|
| VCID-f5w8-j656-akf4 | Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-1017
|
| VCID-f79a-dxkf-8yeu | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12361
|
| VCID-f81v-9fv8-93cd | Out-of-bounds Write Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
CVE-2023-5217
GHSA-qqvq-6xgj-jw8g |
| VCID-f8c7-p8nz-bbap | A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server.*Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* |
CVE-2023-29532
|
| VCID-f8fw-f3kt-8feb | Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6514
|
| VCID-fa1y-hpcb-27gj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22760
|
| VCID-fdue-dg92-13cp | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5146
|
| VCID-ffd7-y29n-6fan | XSLT document loading did not correctly propagate the source document which bypassed its CSP. |
CVE-2025-8032
|
| VCID-fpt6-rk5a-1yfj | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1737
|
| VCID-fpw1-j3wb-xfd5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45408
|
| VCID-frvc-mqhd-eydh | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-6601
|
| VCID-fs3v-8fsn-uygj | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. |
CVE-2023-28427
GHSA-mwq8-fjpf-c2gr |
| VCID-fsff-rm4y-wudc | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2780
|
| VCID-fsvy-jfhn-1ydz | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12419
|
| VCID-ft6u-geds-fua9 | JIT miscompilation in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4702
|
| VCID-fw8f-1wt7-afdb | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1045
|
| VCID-fwr3-cgq1-a3b4 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6204
|
| VCID-fx8t-41tv-hkdu | Use After Free png_image_free in png.c in libpng has a use-after-free because png_image_free_function is called under png_safe_execute. |
CVE-2019-7317
|
| VCID-fxnj-rr7h-ryb5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46880
|
| VCID-fxyr-h69x-fybu | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3809
|
| VCID-fz39-2htc-4qb3 | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3804
|
| VCID-g1af-pkh5-xygt | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25742
|
| VCID-g24d-23zk-6fgn | AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() and AppendEncodedCharacters() could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. |
CVE-2024-2608
|
| VCID-g2et-bnvt-9fem | During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.* |
CVE-2019-17021
|
| VCID-g2jp-fq7y-kkcn | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11730
|
| VCID-g3n8-mvdt-cqdj | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-3029
|
| VCID-g3nf-qnz2-h7gg | Images from a different domain can be read using a canvas object in some circumstances. This could be used to steal image data from a different site in violation of same-origin policy. |
CVE-2019-9817
|
| VCID-g4vz-yx5u-s7br | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1742
|
| VCID-g5yf-hp8r-rkcs | A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. |
CVE-2025-5986
|
| VCID-g5z1-9an3-aubs | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5732
|
| VCID-gcnq-avax-aqcv | Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2776
|
| VCID-gfdf-pxta-xbg1 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12387
|
| VCID-gfve-nzmn-dbbd | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29914
|
| VCID-ghhu-atxz-8ya9 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11708
|
| VCID-ghqe-gsw9-c3e4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32211
|
| VCID-gjvm-8v8y-d7c5 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23982
|
| VCID-gkva-6cu9-7keg | Sandbox escape in the Responsive Design Mode component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4692
|
| VCID-gne2-jk48-juhs | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11707
|
| VCID-gph4-xa9p-73fr | Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-4091
|
| VCID-gpjz-649k-f3he | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-5696
|
| VCID-gr1m-pdaw-a3h1 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12377
|
| VCID-gr47-gb4n-87an | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5144
|
| VCID-grjt-j4at-pqbp | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11692
|
| VCID-gs3s-s4zk-fyh4 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-37201
|
| VCID-gs89-ejt1-q7db | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2783
|
| VCID-gxfx-4gxp-3kdw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34481
|
| VCID-h2gc-zk2a-1fg6 | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0884
|
| VCID-h4r6-jrxh-6kcf | JIT optimizations involving the Javascript arguments object could confuse later optimizations. This risk was already mitigated by various precautions in the code, resulting in this bug rated at only moderate severity. |
CVE-2020-15656
|
| VCID-h5ub-djvf-nffv | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-3302
|
| VCID-h9em-p9se-rucn | Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14321
|
| VCID-hay5-714d-u7fd | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12405
|
| VCID-hb7d-bejp-eueu | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11711
|
| VCID-hccf-ueut-vugw | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14322
|
| VCID-hetc-sghb-1fcx | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8384
|
| VCID-hfp7-jaxc-2khq | Uninitialized memory in the JavaScript Engine component. |
CVE-2025-9181
|
| VCID-hfx8-7x82-zqfk | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10466
|
| VCID-hgjx-1srq-4qar | As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. |
CVE-2006-1530
|
| VCID-hgy1-3pbq-s3ch | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-42932
|
| VCID-hhu1-cgcx-nfev | During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. |
CVE-2021-38498
|
| VCID-hm7h-1na5-7bbx | The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. |
CVE-2025-1015
|
| VCID-hn17-6nvj-9qfw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22738
|
| VCID-hp32-swmr-qqdy | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46878
|
| VCID-hs5f-21nx-gfeb | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11729
|
| VCID-hsc9-up4x-nbgs | Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2762
|
| VCID-hshc-4xnc-gug4 | Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4704
|
| VCID-hsr3-c152-nucq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-28286
|
| VCID-hstd-23qm-bqdg | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4717
|
| VCID-hsy2-jvn8-s3gs | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5089
|
| VCID-htrf-wxeh-cyha | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5098
|
| VCID-husj-kjf4-ufeq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34479
|
| VCID-hw91-g7qe-n3a9 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7829
|
| VCID-j1hb-8jjy-tqgq | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4693
|
| VCID-j1yh-f1np-wbcv | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4584
|
| VCID-j1zj-1dr1-8yhc | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29912
|
| VCID-j2ax-jb2h-byeu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4052
|
| VCID-j2qd-ebuh-8be5 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6819
|
| VCID-j45f-m9q5-vfah | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-50762
|
| VCID-j5db-jvd9-7kbj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15685
|
| VCID-j5k8-ztxb-uffb | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0238
|
| VCID-j64y-ejt3-tbe3 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11757
|
| VCID-j6c3-817n-zydj | OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. |
CVE-2023-0547
|
| VCID-j6w1-yhc3-uqfw | An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. |
CVE-2025-6425
|
| VCID-j7j8-g9du-mqfz | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12366
|
| VCID-j9mh-ug68-jkfm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5096
|
| VCID-j9mr-8yac-3ubj | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1735
|
| VCID-jajw-gyuh-v3dj | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12395
|
| VCID-javq-3r82-73fq | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2019-17022
|
| VCID-jebk-6hja-ukfc | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9402
|
| VCID-jg37-y3r7-8fcq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34484
|
| VCID-jj6t-1q5f-uyez | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22763
|
| VCID-jm7w-hqzq-tqde | Thunderbird executed javascript: URLs when used in object and embed tags. |
CVE-2025-8029
|
| VCID-jr81-ed7a-aqcp | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6811
|
| VCID-jtrv-jyme-sybh | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5159
|
| VCID-jtsz-m5jr-ebdc | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15664
|
| VCID-jtyr-jd5m-87c3 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15659
|
| VCID-jw36-uybs-cyg9 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12398
|
| VCID-jy6e-d578-nkcg | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38507
|
| VCID-jybh-8px4-pqau | Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0885
|
| VCID-jyns-kqp9-4ygh | By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. |
CVE-2025-2830
|
| VCID-jyur-q447-t7hr | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26973
|
| VCID-jzte-jqk6-7ya6 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5169
|
| VCID-k2s2-zkua-8ydy | NSS has an information disclosure vulnerability when handling DSA keys. |
CVE-2020-12399
|
| VCID-k321-r7qq-gbb9 | A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. |
CVE-2019-11691
|
| VCID-k3ec-bt9r-pkhg | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9397
|
| VCID-k4e4-363e-xyff | Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2021-43534
|
| VCID-k8nw-bn74-6qe5 | Multiple vulnerabilities have been found in Chromium, the worst of which could result in the remote execution of code. |
CVE-2019-5798
|
| VCID-ka9e-ps8e-ryc8 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9392
|
| VCID-ka9x-22be-p7aw | Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which allows remote attackers to execute arbitrary code. |
CVE-2018-17466
|
| VCID-kat5-hy8e-skah | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29989
|
| VCID-kbqr-p81f-k3ch | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12383
|
| VCID-kbyn-rze5-2qeg | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2787
|
| VCID-kdwy-7p45-hbcs | Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13015
|
| VCID-kf1h-zg32-1yh4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-40960
|
| VCID-kfxp-azcd-2yej | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46871
|
| VCID-khsw-jwtm-8faq | A use-after-free could have occurred when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash. |
CVE-2021-43535
|
| VCID-kk2m-2mxz-sbex | Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7. |
CVE-2025-14327
|
| VCID-kk9k-mpvr-7kh9 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23981
|
| VCID-kkgh-a9hg-fud8 | A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. |
CVE-2025-11710
|
| VCID-kpk1-e652-nkfa | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22761
|
| VCID-kpun-mgtm-5uhd | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9399
|
| VCID-krg2-d4vy-z7fu | During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. *Note: this issue only occurs on Windows. Other operating systems are unaffected.* |
CVE-2019-17015
|
| VCID-krq5-4j17-vfg9 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-28164
|
| VCID-kskc-agaw-8bcr | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6857
|
| VCID-ku26-71r1-vfem | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-3854
|
| VCID-kuwd-6tcg-fuha | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4713
|
| VCID-kx3j-abfc-qfh2 | An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. |
CVE-2024-9393
|
| VCID-kxu1-tc8y-4ufj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-1197
|
| VCID-kzd5-gpff-kbee | As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. |
CVE-2006-1723
|
| VCID-kzh6-b6jx-hbc4 | The Mozilla Foundation has reported numerous vulnerabilities in Mozilla Firefox, including one that may allow execution of arbitrary code. |
CVE-2006-4568
|
| VCID-m1tv-6fpx-dudj | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4565
|
| VCID-m26q-fgjn-yugu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25730
|
| VCID-m2cy-38ne-87dy | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5117
|
| VCID-m2sr-re2h-3baq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4050
|
| VCID-m3mp-su9k-sfhs | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2763
|
| VCID-m5h6-y3tw-eue6 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-20503
|
| VCID-m6hy-v2x8-e3b5 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11706
|
| VCID-m6uv-91wz-xfdv | Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4700
|
| VCID-m8cv-zhfc-4kc1 | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1727
|
| VCID-m92a-91pv-dffv | If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead.*Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* |
CVE-2020-35112
|
| VCID-m93r-91y4-xyaz | An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. |
CVE-2025-1010
|
| VCID-m9h1-aw7r-jqb2 | An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. |
CVE-2024-7652
|
| VCID-mbvn-dx8r-ubfe | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5161
|
| VCID-mc6m-8uzs-pkgu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25744
|
| VCID-menq-g5ce-1yd8 | Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2026-2793
|
| VCID-mfs8-2vzs-pybf | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-3859
|
| VCID-mh92-65bz-43ds | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5721
|
| VCID-mj7n-8hf6-2qar | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5724
|
| VCID-mkyz-6v1k-wyen | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29987
|
| VCID-mm6w-kpe8-4kg3 | Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4684
|
| VCID-mm7x-rfzg-uqfc | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45404
|
| VCID-mmvb-w19n-97a3 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12420
|
| VCID-mn6j-2wd1-ukfb | Integer overflow in the Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2774
|
| VCID-mnt3-q341-j7gj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11763
|
| VCID-mp4n-ez8p-63ek | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-28163
|
| VCID-mqte-f1hw-2ya5 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22753
|
| VCID-mrb2-hz9y-4ufp | When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack. |
CVE-2025-6430
|
| VCID-mrmv-u676-c7eq | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18513
|
| VCID-ms9h-982a-pkdu | Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. |
CVE-2025-1014
|
| VCID-mup7-wezz-gkgc | When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. |
CVE-2022-3032
|
| VCID-mv4d-eqtc-kkgw | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23968
|
| VCID-mw96-qtnz-gqdx | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10465
|
| VCID-mw9j-h66p-k7as | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-28289
|
| VCID-mwd4-pgxg-zkha | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26485
|
| VCID-mwj3-wa1g-buay | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-37207
|
| VCID-mwyd-ba4z-eug6 | An upgrade in the XML parser introduced a bug that could read beyond the end of the buffer, often causing a crash. We don't know if this could be exploited to incorporate private data into the DOM of an XML document, but could be a privacy risk if so. Firefox 1.0, Thunderbird 1.0 and Mozilla Suite 1.7 are not affected.Update (13 April 2006) This flaw has been fixed in Thunderbird 1.5.0.2 |
CVE-2006-0298
|
| VCID-myv9-89b8-w7dm | In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the SEE_MASK_FLAG_NO_UI flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won’t prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. *Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems.* |
CVE-2018-5174
|
| VCID-mzbp-5r6m-27cm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22740
|
| VCID-n1uk-fcmx-yuee | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-38478
|
| VCID-n1v6-q6wt-ebaj | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-18494
|
| VCID-n2hq-1ck4-ayhp | Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. |
CVE-2025-5263
|
| VCID-n3rs-11fq-wqc4 | Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. |
CVE-2025-3875
|
| VCID-n454-esxc-ckhd | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12367
|
| VCID-n4hu-b1t6-xkay | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10458
|
| VCID-n4kc-y37w-qkdk | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-38506
|
| VCID-n796-xf5e-pucq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-4140
|
| VCID-n8gb-hpjb-v7a5 | Return registers were overwritten which could have allowed an attacker to execute arbitrary code. *Note:* This issue only affected Armv7-A systems. Other operating systems are unaffected. |
CVE-2024-2607
|
| VCID-n8hk-44ah-bugr | Due to insufficient escaping of the ampersand character in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* |
CVE-2025-4084
|
| VCID-n9jq-77ud-v7c9 | When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. |
CVE-2025-3523
|
| VCID-nbvc-j1zu-v7d8 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11762
|
| VCID-ndd4-kd1y-z7ep | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0878
|
| VCID-ngja-2eff-h7hk | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-34414
|
| VCID-nhsr-4zux-2bck | Use-after-free in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2769
|
| VCID-nkpq-9gd6-nuc4 | Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2026-0891
|
| VCID-nkzt-x77d-8qb3 | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3113
|
| VCID-nmh4-zpeh-4bcr | Multiple vulnerabilities have been found in Expat, the worst of which could result in a Denial of Service condition. |
CVE-2019-15903
|
| VCID-nq6f-ezcx-mfas | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-50761
|
| VCID-ntqr-ptmu-yuen | Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2767
|
| VCID-nvsz-9s3r-nbhq | Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4718
|
| VCID-nyhm-tguf-gkat | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5104
|
| VCID-nzcd-dk9q-puh1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26976
|
| VCID-p9zh-7wyj-hffm | Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2771
|
| VCID-pbhu-5gkn-qkb8 | When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status. |
CVE-2021-4126
|
| VCID-pcgf-xtfq-6ugb | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14330
|
| VCID-pcrz-f3nj-kybr | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1938
|
| VCID-pemg-ndu8-wbbc | Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0879
|
| VCID-pepm-1t68-uuf1 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6864
|
| VCID-pj4h-ff45-e3ez | A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. |
CVE-2025-1013
|
| VCID-pmkt-c3bw-zkhz | By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. |
CVE-2024-9398
|
| VCID-pn68-e9g7-qbf1 | The executable file warning did not warn users before opening files with the terminal extension. *This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.* |
CVE-2025-6426
|
| VCID-pneu-6c1f-zkfa | Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. |
CVE-2025-3909
|
| VCID-pryc-r9jn-9bds | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12378
|
| VCID-ps9s-3kuv-1yh1 | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15677
|
| VCID-psc3-4ssv-wyb5 | On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. |
CVE-2025-8027
|
| VCID-pse8-xnc7-gkbv | Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. |
CVE-2024-2610
|
| VCID-pst5-367g-h7cs | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8386
|
| VCID-pv9q-fcta-ffbq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4577
|
| VCID-pvvt-h3mh-33eb | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0741
|
| VCID-pws7-8qmm-hfes | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-17008
|
| VCID-pybb-2ny2-quas | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6209
|
| VCID-pyqg-v477-auex | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3811
|
| VCID-pzf5-v82a-hkb9 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26486
|
| VCID-q17c-5xdn-uqcf | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-0616
|
| VCID-q1pv-avug-juef | Privilege escalation in the Messaging System component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2777
|
| VCID-q494-zvyn-quge | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46881
|
| VCID-q4bf-vh36-kye9 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22756
|
| VCID-q4vz-2zau-sqgh | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7846
|
| VCID-q5ch-b97k-k3hp | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29982
|
| VCID-q77k-hc9g-9fhm | The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service.*Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.* |
CVE-2021-29951
|
| VCID-q9f4-zumy-wbfy | Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-8034
|
| VCID-qcxw-ds31-3ubd | When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. |
CVE-2026-0818
|
| VCID-qd4e-g5zv-1ucf | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43539
|
| VCID-qd97-asaa-2fey | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8385
|
| VCID-qdqj-rhcr-wbca | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6856
|
| VCID-qeh2-jn2v-9ug7 | A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. |
CVE-2025-11709
|
| VCID-qgvp-4eea-bkgm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22748
|
| VCID-qgvy-hzsx-hkge | Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13014
|
| VCID-qh4a-bn9p-a7hh | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26387
|
| VCID-qhwf-9n5n-hbaa | The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. |
CVE-2020-15658
|
| VCID-qkks-24cp-gqg2 | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4706
|
| VCID-qm8f-f8nr-qba9 | Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0880
|
| VCID-qpm2-9p1h-37fd | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1732
|
| VCID-qq5h-5k45-rycm | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23995
|
| VCID-qta2-8rnt-k7d1 | Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2788
|
| VCID-qtcm-9z3v-dydn | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0241
|
| VCID-qv74-f7ax-83cp | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-38473
|
| VCID-qv7a-3c41-x3cr | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-38477
|
| VCID-qv8f-9y37-bbdk | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29985
|
| VCID-qvqm-n242-vyea | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12405
|
| VCID-qw3q-xg7s-wbd7 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2025-26695
|
| VCID-qy44-ubss-x7et | Multiple vulnerabilities have been found in Mozilla Thunderbird, the world of which could result in arbitrary code execution. |
CVE-2022-40962
|
| VCID-qz95-5z9e-7qb7 | The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. |
CVE-2025-8033
|
| VCID-r29z-4m4j-8kft | A use-after-free in FontFaceSet resulted in a potentially exploitable crash. |
CVE-2025-6424
|
| VCID-r4th-1n98-aqc6 | A use-after-free in Mozilla Firefox might allow remote attacker(s) to execute arbitrary code. |
CVE-2020-26950
|
| VCID-r587-gyj4-5kee | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29911
|
| VCID-r631-9h74-sygv | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-28282
|
| VCID-r7ss-g876-c7fg | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0237
|
| VCID-r7vt-w149-9bfn | Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2773
|
| VCID-r7vv-451v-nbag | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12392
|
| VCID-rafq-49c4-u7g6 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32215
|
| VCID-rarq-q7qa-nud7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-32213
|
| VCID-rbna-kkn2-2baj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5176
|
| VCID-rbuu-mph9-7uay | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1550
|
| VCID-rcg4-7hjg-v7du | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10463
|
| VCID-rev7-13wx-kqew | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11715
|
| VCID-rfve-tkv7-13dv | Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. |
CVE-2025-3522
|
| VCID-rg63-avu7-2bdc | Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. |
CVE-2025-10527
|
| VCID-rhdv-jxvv-5yb2 | A same-origin policy violation allowing the theft of cross-origin URL entries when using a <meta> meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. |
CVE-2018-18499
|
| VCID-rhzx-ha7x-dfew | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9791
|
| VCID-rkj9-dd18-xka9 | A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. |
CVE-2025-5267
|
| VCID-rp5h-ym8y-skbw | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4701
|
| VCID-rq11-qm9e-7ubk | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43545
|
| VCID-rsy6-acfe-ffb5 | The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.*This bug only affects Firefox for Windows. Other operating systems are unaffected.* |
CVE-2022-22744
|
| VCID-rszh-1c16-47ah | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6798
|
| VCID-ruc1-kmaz-fkbb | Incorrect boundary conditions in the JavaScript: GC component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. |
CVE-2025-10532
|
| VCID-s326-zdyp-67ev | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11742
|
| VCID-s3vw-7gyn-ubdt | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-3600
|
| VCID-s4ey-k6yr-j7du | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2016-5824
|
| VCID-s556-eg79-77gu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7522
|
| VCID-s89g-7f5f-5qd2 | Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. |
CVE-2025-6429
|
| VCID-s95f-9g8b-s3es | By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. |
CVE-2024-5690
|
| VCID-saht-cs9w-h7h7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5095
|
| VCID-sb4d-y4bp-k3h9 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26958
|
| VCID-scb8-77mr-zkap | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3805
|
| VCID-scgj-9r68-due3 | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4253
|
| VCID-scqu-uppe-w3h3 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11744
|
| VCID-sfyj-m6xa-8bbc | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4581
|
| VCID-sg2y-gfue-6qam | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10461
|
| VCID-sgc4-z5aa-nkct | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-1834
|
| VCID-sgwe-9xfj-6kav | Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2783
|
| VCID-sh7r-dftz-kyhn | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4045
|
| VCID-sjy7-cp3x-nfh2 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12368
|
| VCID-skbg-e4em-bkaw | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-18492
|
| VCID-sknm-65ff-4uck | Cross-origin images can be read from a canvas element in violation of the same-origin policy using the transferFromImageBitmap method. |
CVE-2018-18511
|
| VCID-sm2q-bg6f-4qag | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34468
|
| VCID-snbc-j4e3-uff1 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4582
|
| VCID-sq1u-5jfc-dyh1 | A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supported releases.* |
CVE-2019-9816
|
| VCID-sr45-86k8-8ybs | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12364
|
| VCID-ss1w-euua-83gz | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1552
|
| VCID-ss9j-7jd7-nbf1 | Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2770
|
| VCID-su89-u51g-z3hs | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-23598
|
| VCID-svqy-5b6h-7yfj | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-6603
|
| VCID-svy5-paub-2bhr | Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. |
CVE-2025-0510
|
| VCID-swgj-zee2-x3hv | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5183
|
| VCID-t2c3-smqc-zkba | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0877
|
| VCID-t4eb-c363-u7hc | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6805
|
| VCID-t4rc-yuj8-n7au | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0746
|
| VCID-t4t3-5pt5-ayds | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4685
|
| VCID-t52p-7rr7-57ax | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-6604
|
| VCID-t5kr-v1tx-5kdy | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2786
|
| VCID-t769-2t1u-57b6 | Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.*This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.* |
CVE-2021-38505
|
| VCID-t8gg-ptc1-qfdw | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4056
|
| VCID-t8mb-cdc3-6ydq | Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. |
CVE-2024-6600
|
| VCID-t98b-d1uu-pkan | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-1196
|
| VCID-t9cw-yjar-ckfd | A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. |
CVE-2025-11712
|
| VCID-tanb-52bq-k3hn | A crafted S/MIME message consisting of an inner encryption layer and an outer SignedData layer was shown as having a valid digital signature, although the signer might have had no access to the contents of the encrypted message, and might have stripped a different signature from the encrypted message. Previous versions had only suppressed showing a digital signature for messages with an outer multipart/signed layer. |
CVE-2019-11755
|
| VCID-tbu1-adxe-sudv | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18501
|
| VCID-tce3-s87t-2qh8 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25737
|
| VCID-te1e-sjsk-bfd8 | Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2768
|
| VCID-tec1-8t8s-zqgb | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18500
|
| VCID-tegn-2y58-t3de | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7521
|
| VCID-teh4-fmg6-53ab | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-30547
|
| VCID-tfa3-jx19-h7bz | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11746
|
| VCID-tff1-6wkz-jyar | Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element. |
CVE-2019-9797
|
| VCID-tfny-yt17-mffx | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4054
|
| VCID-tfry-ch3y-fyb1 | Mozilla developers and community members Olli Pettay, Bogdan Tara, Jan de Mooij, Jason Kratzer, Jan Varga, Gary Kwong, Tim Guan-tin Chien, Tyson Smith, Ronald Crane, and Ted Campbell reported memory safety bugs present in Firefox 66 and Firefox ESR 60.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. |
CVE-2019-9800
|
| VCID-tgpf-32kg-rqc2 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0240
|
| VCID-tgsj-hp8b-27f9 | There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. |
CVE-2025-11711
|
| VCID-tjkj-zeeh-xqcy | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11752
|
| VCID-tjp3-ck7p-5qg3 | An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. |
CVE-2024-2605
|
| VCID-tjtk-gghp-1kdf | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23999
|
| VCID-tkzd-c11q-3qaf | Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14331
|
| VCID-tmjf-y8uf-kua8 | As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. |
CVE-2006-1529
|
| VCID-tnxh-tgsm-tuex | A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.*This bug only affects Firefox for Windows. Other operating systems are unaffected.* |
CVE-2022-22746
|
| VCID-tpk8-jte1-37ap | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-9811
|
| VCID-tps4-kxe2-5ugb | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6858
|
| VCID-tq43-rx5u-eybv | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4583
|
| VCID-tre6-ytkj-k7c4 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6821
|
| VCID-tutg-2zzk-4uam | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6207
|
| VCID-tvsp-tsfk-v7eg | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11759
|
| VCID-u23v-7afk-qben | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12363
|
| VCID-u3j3-fc4f-7ff7 | Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4686
|
| VCID-u584-a1yu-jqcf | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7824
|
| VCID-u5n5-6h82-tqhw | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25734
|
| VCID-u63v-3cmf-ryh6 | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2775
|
| VCID-u8sk-mm4g-ffem | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7823
|
| VCID-u9pc-4b61-gkeg | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could lead to remote code execution. |
CVE-2024-5702
|
| VCID-ubgg-n1xv-mfhx | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1733
|
| VCID-ucgx-bfkb-4kg5 | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2779
|
| VCID-ucyq-vbwq-r7f3 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12397
|
| VCID-ud33-vgxh-8khj | Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2766
|
| VCID-uds6-qahc-bqh7 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5184
|
| VCID-ugjs-4tca-d3dk | The bufferdata function in WebGL is vulnerable to a buffer overflow with specific graphics drivers on Linux. This could result in malicious content freezing a tab or triggering a potentially exploitable crash. *Note: this issue only occurs on Linux. Other operating systems are unaffected.* |
CVE-2019-11693
|
| VCID-uh95-a456-7kbx | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0747
|
| VCID-uhde-5x3s-u7fk | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23954
|
| VCID-ukf2-qcjg-u7bg | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-0243
|
| VCID-ukut-zyjx-93gq | Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13013
|
| VCID-un8e-mz4v-t7ea | When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially attempt to open it using a filename that isn't distributed by Thunderbird. If a computer has already been infected with a malicious library of the alternative filename, and the malicious library has been copied to a directory that is contained in the search path for executable libraries, then Thunderbird will load the incorrect library. |
CVE-2021-29949
|
| VCID-upvn-56py-8ud7 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1933
|
| VCID-urpr-qse2-7kcf | Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak.*Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* |
CVE-2020-26966
|
| VCID-ushb-eq8b-x3az | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-5785
|
| VCID-utn7-mdgr-z7em | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43538
|
| VCID-uuc6-a3xx-6khk | Firefox will accept any registered Program ID as an external protocol handler and offer to launch this local application when given a matching URL on Windows operating systems. This should only happen if the program has specifically registered itself as a "URL Handler" in the Windows registry. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.* |
CVE-2019-9801
|
| VCID-uuxf-cyfq-p3e2 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45412
|
| VCID-uv8b-n94e-budc | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23987
|
| VCID-uvzd-dxhu-hydg | An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. |
CVE-2022-3266
|
| VCID-uwzy-pbnf-kkfw | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15969
|
| VCID-ux24-3d83-23c6 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-8381
|
| VCID-uy2g-rmuh-pkbe | It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. |
CVE-2025-3932
|
| VCID-v5vy-j784-r3bj | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-26971
|
| VCID-v789-nhyw-wugk | If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. |
CVE-2024-5688
|
| VCID-v865-5aar-sueu | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34470
|
| VCID-v9ua-1tey-cyaa | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46875
|
| VCID-vb9f-xdth-j7h3 | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3802
|
| VCID-vc9x-hjtc-q3f1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43536
|
| VCID-vcf2-b7mj-tfg4 | To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. |
CVE-2024-2616
|
| VCID-vcnn-u8k9-8ubs | Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-8035
|
| VCID-vd6g-ywvd-gfhf | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-29909
|
| VCID-vdpy-f9d9-pfac | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-10467
|
| VCID-vdzj-kqfy-d3b7 | libwebp: OOB write in BuildHuffmanTable Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. |
CVE-2023-4863
GHSA-j7hp-h8jx-5ppr |
| VCID-vg6v-8pv2-mfhf | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-31736
|
| VCID-vgf2-x49m-cqde | If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. |
CVE-2021-29957
|
| VCID-vgqa-e7yg-wygj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-36319
|
| VCID-vhy3-sx9u-budr | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5127
|
| VCID-vjw1-g5kk-zuda | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4046
|
| VCID-vma9-r6uy-p7c1 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6208
|
| VCID-vmm4-dq3p-kqhu | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-37211
|
| VCID-vpd3-v3fr-hkdm | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-28285
|
| VCID-vqeh-hhax-fqba | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3812
|
| VCID-vrvn-krwb-d3dr | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9795
|
| VCID-vszp-vyxy-f7g7 | Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2781
|
| VCID-vt2f-abwe-4ba2 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-24002
|
| VCID-vtjf-sufh-p3h4 | crossbeam-deque Data Race before v0.7.4 and v0.8.1 ### Impact In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. ### Patches This has been fixed in crossbeam-deque 0.8.1 and 0.7.4. ### Credits This issue was reported and fixed by Maor Kleinberger. ### License This advisory is in the public domain. |
CVE-2021-32810
GHSA-pqqp-xmhj-wgcw |
| VCID-vtmx-swps-zyat | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-38472
|
| VCID-vtwu-x1vt-x3bq | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29945
|
| VCID-vun4-z8ju-gbbc | If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with administrative privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with system privileges.*Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* |
CVE-2020-15663
|
| VCID-vvpm-3zhz-77dm | A use-after-free vulnerability can occur when listeners are removed from the event listener manager while still in use, resulting in a potentially exploitable crash. |
CVE-2019-11692
|
| VCID-vw4n-4r41-ukbp | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5727
|
| VCID-vwkf-9gfp-d3cy | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0749
|
| VCID-vz6w-wghm-nqaq | Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2025-9185
|
| VCID-vzg5-b77s-g3ft | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-34478
|
| VCID-w1cg-up6a-7ycg | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-28162
|
| VCID-w2ee-bevv-p7e6 | The security check in js_ValueToFunctionObject() can be bypassed by clever use of setTimeout() and the new Firefox 1.5 array method ForEach. shutdown demonstrated how to leverage this into a privilege escalation vulnerability that would allow the installation of malware.This vulnerability was introduced during Firefox 1.5 development, Firefox 1.0 and Mozilla Suite 1.7 are not affected.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. |
CVE-2006-1726
|
| VCID-w2xw-eupp-cqgf | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25739
|
| VCID-w44w-qwmk-mbbd | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5154
|
| VCID-w4u8-25rz-gqeq | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2782
|
| VCID-w5hu-w7mu-b3g3 | If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar and the resulting bookmark is subsequently dragged and dropped into the web content area, an arbitrary query of a user's browser history can be run and transmitted to the content page via drop event data. This allows for the theft of browser history by a malicious site. |
CVE-2019-11698
|
| VCID-w68x-99b7-7qgs | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29984
|
| VCID-w6j3-6a6j-uqf1 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1931
|
| VCID-w794-gqex-83du | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-6602
|
| VCID-w7gj-shrq-3fcz | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-11699
|
| VCID-w7rm-rw2c-wuas | Multiple vulnerabilities have been found in Mozilla Firefox and Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-15678
|
| VCID-w814-2cmz-ruhz | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29535
|
| VCID-w89k-tvfx-cbez | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-12406
|
| VCID-w8sy-3r3a-43ar | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4566
|
| VCID-wagm-cq36-k7g3 | Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2760
|
| VCID-wcfk-t1kd-2kgv | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-25752
|
| VCID-wfn6-c2ap-y3g4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7810
|
| VCID-wj3c-xpra-vffj | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12376
|
| VCID-wk26-kc1d-9qcy | Firefox could be made to load attacker-supplied DLL files from the installation directory. This required an attacker that is already capable of placing files in the installation directory. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* |
CVE-2020-15657
|
| VCID-wmyy-2cg3-wyhc | Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4697
|
| VCID-wpm1-y59u-zkgu | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6807
|
| VCID-wpvp-c7aw-qfhw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11761
|
| VCID-wqb6-fpwk-ekgy | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26386
|
| VCID-wqpr-2514-u7d4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11713
|
| VCID-wqw2-gjvu-6qbu | Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4690
|
| VCID-wsdd-t7d2-gbda | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-24713
GHSA-m5pq-gvj9-9vr8 |
| VCID-wvx2-pba2-sqha | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4708
|
| VCID-ww34-5gw7-cfa6 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5145
|
| VCID-wwck-cpa8-y3c5 | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9792
|
| VCID-wwdh-xmux-3qdq | Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2759
|
| VCID-wwgd-pew4-zkf5 | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18505
|
| VCID-wwjw-cqjk-8qe2 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7828
|
| VCID-wwkc-4c69-cbea | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2784
|
| VCID-wz6r-xzm9-m7hp | Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. |
CVE-2025-13017
|
| VCID-wzpf-nter-m3dv | OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. |
CVE-2021-29956
|
| VCID-wzxk-316c-xqcg | When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.*This bug only affects Firefox for Windows. Other operating systems are unaffected.* |
CVE-2022-31739
|
| VCID-x12h-hqf2-37cc | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2019-17016
|
| VCID-x4b1-wug7-wuex | If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targeting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. |
CVE-2022-45414
|
| VCID-x4sm-zyc1-ffd4 | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2019-9796
|
| VCID-x4vq-y6b6-dqf6 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6806
|
| VCID-x8eu-wc55-mkcw | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4340
|
| VCID-x8sj-apw2-e3h6 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-29981
|
| VCID-x8yg-mxu2-63gz | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-0748
|
| VCID-xan8-8fq6-yfgd | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0742
|
| VCID-xcbn-tkgg-4ben | Use-after-free in the Audio/Video: Playback component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
CVE-2026-2772
|
| VCID-xevc-xbcg-1yct | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7526
|
| VCID-xewd-ab7q-5bfs | Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code. |
CVE-2006-2776
|
| VCID-xg25-xm9t-cfb8 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0750
|
| VCID-xghm-4ygw-tkb2 | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. |
CVE-2025-14324
|
| VCID-xn67-qscw-nuet | The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. |
CVE-2006-3807
|
| VCID-xp3b-fyfq-xbbq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22741
|
| VCID-xrg1-azru-5qf1 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4051
|
| VCID-xsp9-azn2-87cn | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7848
|
| VCID-xt5q-bfq6-73bn | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2019-11743
|
| VCID-xtch-eqwb-s3ag | The Mozilla Foundation has reported multiple security vulnerabilities related to Mozilla Thunderbird. |
CVE-2006-4567
|
| VCID-xud3-4s7g-rkcv | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43537
|
| VCID-xwcf-p97m-xfe1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7847
|
| VCID-xyqa-esey-73e1 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7525
|
| VCID-y12a-2bn1-vkdz | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22759
|
| VCID-y14s-zt8p-syby | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5125
|
| VCID-y3v2-cyyc-yyep | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45403
|
| VCID-y43f-tmvr-hqas | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22747
|
| VCID-y45y-r8h7-6yez | Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. |
CVE-2025-5269
|
| VCID-y7sk-dmau-4fam | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1936
|
| VCID-y7u2-9qe6-17g4 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23960
|
| VCID-y7wn-9j43-jba3 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-22742
|
| VCID-y8vr-48q8-a3aj | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6800
|
| VCID-y8xv-ss2c-4bhk | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2024-0753
|
| VCID-yaz5-6485-u7c1 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7818
|
| VCID-yb18-qe5e-dbck | Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
CVE-2024-4777
|
| VCID-ybm7-rhy6-s3dq | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-2226
|
| VCID-yc74-5kag-2bdn | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45409
|
| VCID-ycua-7k2y-rqfr | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23953
|
| VCID-yd2q-assr-v3er | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6212
|
| VCID-ydz6-761h-jbeq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45421
|
| VCID-ye9r-gnzm-sqe2 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-2200
|
| VCID-yfmg-82tr-gfec | The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.* |
CVE-2021-38510
|
| VCID-yfwd-x224-3qe6 | Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. |
CVE-2025-8030
|
| VCID-yg34-x56m-rufk | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1936
|
| VCID-yg7c-ar4c-w3fn | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2020-16012
|
| VCID-ygrd-4scr-wkau | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-4053
|
| VCID-yh3z-a7ed-sugh | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-12373
|
| VCID-yhj1-h62u-mud5 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29533
|
| VCID-yjc2-2whn-uug5 | Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4694
|
| VCID-yjyu-u73t-u7bh | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-29536
|
| VCID-ykzd-mar6-r3c5 | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2017-7819
|
| VCID-ym7a-e9b5-5ygm | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-12359
|
| VCID-ymak-rv52-h7a5 | Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. |
CVE-2026-4710
|
| VCID-ymu8-mjph-f7a4 | A race during concurrent delazification could have led to a use-after-free. |
CVE-2025-1012
|
| VCID-yp2g-rueg-4bcv | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. |
CVE-2021-23973
|
| VCID-ypav-ujzc-9qdf | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-0296
|
| VCID-yq6p-sv1g-m3bj | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-18493
|
| VCID-yr3c-1cqv-n3bw | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2020-6812
|
| VCID-yr3u-k2gz-n3d3 | Multiple vulnerabilities have been found in Mozilla Thunderbird and Firefox, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-18512
|
| VCID-yuex-f2ae-ffft | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43542
|
| VCID-yuhg-jeet-cffp | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-45420
|
| VCID-yust-3g8v-muas | The executable file warning was not presented when downloading .xrm-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* |
CVE-2024-3863
|
| VCID-yxdd-fgbw-rug1 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2023-23603
|
| VCID-yxy6-s185-myc9 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
CVE-2022-46874
|
| VCID-yy95-yypj-cqbh | An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. |
CVE-2021-23993
|
| VCID-yzys-pzzg-a7dk | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2018-5178
|
| VCID-z19z-zu3b-5khe | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-4129
|
| VCID-z23q-ts2f-17a3 | Normally Mozilla-based clients prevent web content from linking to local files but Eric Foley reports a partial bypass of this restriction by using Windows filename syntax (on a Windows computer) rather than a file:/// URL as the SRC= attribute. The image will not be loaded on the web page--it will appear as a broken image--but if a user can be convinced to right-click and select "View Image" then the content will be loaded. Since the image will replace the current document attacker script cannot be run on it. Loading a local file at a known location is about the extent of this attack.If the local file is a media file an external helper program may be launched to play the media depending on your settings. The action will be the same as if you had clicked on a remote link of the same media type and does not present any additional risk. Local files identified as executable will never be opened in this way, with "executable" broadly defined on windows to include many scriptable document formats with a history of being abused.By referencing a local device rather than a file this could be used as a limited denial-of-service attack to hang the browser. |
CVE-2006-1942
|
| VCID-z2t7-sc17-abfs | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. |
CVE-2022-42929
|
| VCID-z52c-v64a-nyhb | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1548
|
| VCID-z5ts-p4r1-bkh6 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-1547
|
| VCID-z6kw-szww-7feq | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-7529
|
| VCID-z6yt-va55-s3ey | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2024-9401
|
| VCID-z7uh-qqy6-hkgb | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-12374
|
| VCID-z8cr-rten-qqg2 | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2025-1932
|
| VCID-zbpq-qcww-6yg1 | Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which may allow execution of arbitrary code. |
CVE-2019-17026
|
| VCID-zdbt-zhtq-xfhj | Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect Firefox running on other operating systems. |
CVE-2025-11713
|
| VCID-zdxh-fp2e-47dd | Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. |
CVE-2026-0883
|
| VCID-zefw-etrb-z3fu | Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution. |
CVE-2024-43097
|
| VCID-zfek-fku3-2ydv | Several vulnerabilities in Mozilla Suite allow attacks ranging from script execution with elevated privileges to information leaks. |
CVE-2006-1738
|
| VCID-zfme-e3k1-afct | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5162
|
| VCID-zh2m-qyw5-dkgn | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-17011
|
| VCID-zh6f-rvv2-sbfu | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code. |
CVE-2018-5102
|
| VCID-zhu4-sy56-1yea | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-6861
|
| VCID-zjn8-79ab-tqd3 | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5726
|
| VCID-zqpe-9hvc-vkbp | Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. |
CVE-2023-5725
|
| VCID-zr32-w34c-3ygt | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2021-43528
|
| VCID-zstj-sux9-ubdd | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2019-17010
|
| VCID-ztmj-vavn-8kdf | Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. |
CVE-2022-26383
|
| VCID-zvd4-whm3-bqcr | As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. |
CVE-2006-1724
|
| VCID-zwz9-pt55-t3c6 | Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. |
CVE-2021-38502
|