Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/thunderbird@128.12.0-1?arch=el8_8
purl pkg:rpm/redhat/thunderbird@128.12.0-1?arch=el8_8
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.4
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-g5yf-hp8r-rkcs
Aliases:
CVE-2025-5986
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. There are no reported fixed by versions.
VCID-j6w1-yhc3-uqfw
Aliases:
CVE-2025-6425
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. There are no reported fixed by versions.
VCID-mrb2-hz9y-4ufp
Aliases:
CVE-2025-6430
When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack. There are no reported fixed by versions.
VCID-r29z-4m4j-8kft
Aliases:
CVE-2025-6424
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. There are no reported fixed by versions.
VCID-s89g-7f5f-5qd2
Aliases:
CVE-2025-6429
Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:39:35.691875+00:00 RedHat Importer Affected by VCID-g5yf-hp8r-rkcs https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5986.json 38.0.0
2026-04-01T13:39:05.259078+00:00 RedHat Importer Affected by VCID-j6w1-yhc3-uqfw https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6425.json 38.0.0
2026-04-01T13:39:04.357244+00:00 RedHat Importer Affected by VCID-r29z-4m4j-8kft https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6424.json 38.0.0
2026-04-01T13:39:03.512688+00:00 RedHat Importer Affected by VCID-s89g-7f5f-5qd2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6429.json 38.0.0
2026-04-01T13:39:02.583612+00:00 RedHat Importer Affected by VCID-mrb2-hz9y-4ufp https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6430.json 38.0.0