VulnerableCode Package Details - pkg:rpm/redhat/thunderbird@128.7.0-1?arch=el8_8

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:rpm/redhat/thunderbird@128.7.0-1?arch=el8_8

Essentials
History (10)

purl	pkg:rpm/redhat/thunderbird@128.7.0-1?arch=el8_8

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.4

Vulnerabilities affecting this package (10)

Vulnerability	Summary	Fixed by
VCID-1xcg-n9k4-tqc4 Aliases: CVE-2025-1011	A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution.	There are no reported fixed by versions.
VCID-bzgb-mdsk-yua6 Aliases: CVE-2025-1009	An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash.	There are no reported fixed by versions.
VCID-cypj-1jsu-cbh5 Aliases: CVE-2025-1016	Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	There are no reported fixed by versions.
VCID-f5w8-j656-akf4 Aliases: CVE-2025-1017	Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	There are no reported fixed by versions.
VCID-hm7h-1na5-7bbx Aliases: CVE-2025-1015	The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.	There are no reported fixed by versions.
VCID-m93r-91y4-xyaz Aliases: CVE-2025-1010	An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.	There are no reported fixed by versions.
VCID-ms9h-982a-pkdu Aliases: CVE-2025-1014	Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed.	There are no reported fixed by versions.
VCID-pj4h-ff45-e3ez Aliases: CVE-2025-1013	A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak.	There are no reported fixed by versions.
VCID-svy5-paub-2bhr Aliases: CVE-2025-0510	Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040.	There are no reported fixed by versions.
VCID-ymu8-mjph-f7a4 Aliases: CVE-2025-1012	A race during concurrent delazification could have led to a use-after-free.	There are no reported fixed by versions.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:42:59.288471+00:00	RedHat Importer	Affected by	VCID-bzgb-mdsk-yua6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1009.json	38.0.0
2026-04-01T13:42:58.556414+00:00	RedHat Importer	Affected by	VCID-m93r-91y4-xyaz	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1010.json	38.0.0
2026-04-01T13:42:57.802043+00:00	RedHat Importer	Affected by	VCID-ymu8-mjph-f7a4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1012.json	38.0.0
2026-04-01T13:42:57.067979+00:00	RedHat Importer	Affected by	VCID-1xcg-n9k4-tqc4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1011.json	38.0.0
2026-04-01T13:42:56.334979+00:00	RedHat Importer	Affected by	VCID-ms9h-982a-pkdu	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1014.json	38.0.0
2026-04-01T13:42:55.527223+00:00	RedHat Importer	Affected by	VCID-pj4h-ff45-e3ez	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1013.json	38.0.0
2026-04-01T13:42:55.095996+00:00	RedHat Importer	Affected by	VCID-svy5-paub-2bhr	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-0510.json	38.0.0
2026-04-01T13:42:54.529320+00:00	RedHat Importer	Affected by	VCID-cypj-1jsu-cbh5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1016.json	38.0.0
2026-04-01T13:42:54.118441+00:00	RedHat Importer	Affected by	VCID-hm7h-1na5-7bbx	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1015.json	38.0.0
2026-04-01T13:42:53.477463+00:00	RedHat Importer	Affected by	VCID-f5w8-j656-akf4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1017.json	38.0.0