Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-f4t7-jun7-3qh4
Vulnerability ID VCID-f4t7-jun7-3qh4
Aliases CVE-2022-39250
GHSA-5w8r-8pgj-5jmf
Summary Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-287 Improper Authentication
CWE-322 Key Exchange without Entity Authentication
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
epss 0.00338 https://api.first.org/data/v1/epss?cve=CVE-2022-39250
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5w8r-8pgj-5jmf
cvssv3.1 8.6 https://github.com/matrix-org/matrix-js-sdk
generic_textual HIGH https://github.com/matrix-org/matrix-js-sdk
cvssv3.1 8.6 https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
generic_textual HIGH https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
ssvc Track https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
cvssv3.1 8.6 https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
generic_textual HIGH https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
ssvc Track https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
cvssv3.1 8.6 https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
cvssv3.1_qr HIGH https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
generic_textual HIGH https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
ssvc Track https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
cvssv3.1 8.6 https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
generic_textual HIGH https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
ssvc Track https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
cvssv3.1 8.6 https://nvd.nist.gov/vuln/detail/CVE-2022-39250
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-39250
cvssv3.1 8.6 https://security.gentoo.org/glsa/202210-35
generic_textual HIGH https://security.gentoo.org/glsa/202210-35
ssvc Track https://security.gentoo.org/glsa/202210-35
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2022-43
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json
https://api.first.org/data/v1/epss?cve=CVE-2022-39250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/matrix-org/matrix-js-sdk
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
https://nvd.nist.gov/vuln/detail/CVE-2022-39250
1021136 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136
2135395 https://bugzilla.redhat.com/show_bug.cgi?id=2135395
GHSA-5w8r-8pgj-5jmf https://github.com/advisories/GHSA-5w8r-8pgj-5jmf
GLSA-202210-35 https://security.gentoo.org/glsa/202210-35
mfsa2022-43 https://www.mozilla.org/en-US/security/advisories/mfsa2022-43
RHSA-2022:7178 https://access.redhat.com/errata/RHSA-2022:7178
RHSA-2022:7181 https://access.redhat.com/errata/RHSA-2022:7181
RHSA-2022:7182 https://access.redhat.com/errata/RHSA-2022:7182
RHSA-2022:7183 https://access.redhat.com/errata/RHSA-2022:7183
RHSA-2022:7184 https://access.redhat.com/errata/RHSA-2022:7184
RHSA-2022:7190 https://access.redhat.com/errata/RHSA-2022:7190
USN-5724-1 https://usn.ubuntu.com/5724-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/matrix-org/matrix-js-sdk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/ Found at https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/ Found at https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/ Found at https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/ Found at https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-39250
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Found at https://security.gentoo.org/glsa/202210-35
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/ Found at https://security.gentoo.org/glsa/202210-35
Exploit Prediction Scoring System (EPSS)
Percentile 0.56609
EPSS Score 0.00338
Published At April 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:03:41.019992+00:00 Gentoo Importer Import https://security.gentoo.org/glsa/202210-35 38.0.0