Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/thunderbird@128.13.0-3?arch=el9_0
purl pkg:rpm/redhat/thunderbird@128.13.0-3?arch=el9_0
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.4
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-43nm-4qjy-vfgj
Aliases:
CVE-2025-8028
On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. There are no reported fixed by versions.
VCID-4byg-5gy3-kkff
Aliases:
CVE-2025-8031
The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. There are no reported fixed by versions.
VCID-ffd7-y29n-6fan
Aliases:
CVE-2025-8032
XSLT document loading did not correctly propagate the source document which bypassed its CSP. There are no reported fixed by versions.
VCID-jm7w-hqzq-tqde
Aliases:
CVE-2025-8029
Thunderbird executed javascript: URLs when used in object and embed tags. There are no reported fixed by versions.
VCID-psc3-4ssv-wyb5
Aliases:
CVE-2025-8027
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. There are no reported fixed by versions.
VCID-q9f4-zumy-wbfy
Aliases:
CVE-2025-8034
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. There are no reported fixed by versions.
VCID-qz95-5z9e-7qb7
Aliases:
CVE-2025-8033
The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. There are no reported fixed by versions.
VCID-vcnn-u8k9-8ubs
Aliases:
CVE-2025-8035
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. There are no reported fixed by versions.
VCID-yfwd-x224-3qe6
Aliases:
CVE-2025-8030
Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:38:18.419503+00:00 RedHat Importer Affected by VCID-jm7w-hqzq-tqde https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8029.json 38.0.0
2026-04-01T13:38:17.578734+00:00 RedHat Importer Affected by VCID-psc3-4ssv-wyb5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8027.json 38.0.0
2026-04-01T13:38:16.795138+00:00 RedHat Importer Affected by VCID-43nm-4qjy-vfgj https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8028.json 38.0.0
2026-04-01T13:38:15.836018+00:00 RedHat Importer Affected by VCID-yfwd-x224-3qe6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8030.json 38.0.0
2026-04-01T13:38:14.976371+00:00 RedHat Importer Affected by VCID-ffd7-y29n-6fan https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8032.json 38.0.0
2026-04-01T13:38:14.066927+00:00 RedHat Importer Affected by VCID-4byg-5gy3-kkff https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8031.json 38.0.0
2026-04-01T13:38:13.246364+00:00 RedHat Importer Affected by VCID-qz95-5z9e-7qb7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8033.json 38.0.0
2026-04-01T13:38:12.347565+00:00 RedHat Importer Affected by VCID-q9f4-zumy-wbfy https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8034.json 38.0.0
2026-04-01T13:38:11.356661+00:00 RedHat Importer Affected by VCID-vcnn-u8k9-8ubs https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8035.json 38.0.0