{"url":"http://public2.vulnerablecode.io/api/packages/252834?format=json","purl":"pkg:apk/alpine/thunderbird@91.6.0-r0?arch=x86_64&distroversion=v3.17&reponame=community","type":"apk","namespace":"alpine","name":"thunderbird","version":"91.6.0-r0","qualifiers":{"arch":"x86_64","distroversion":"v3.17","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"91.6.2-r0","latest_non_vulnerable_version":"102.1.0-r0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173652?format=json","vulnerability_id":"VCID-64km-7by4-bkgf","summary":"If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22759.json","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22759.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22759","reference_id":"","reference_type":"","scores":[{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56081","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22759"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22754","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22754"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22756","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22756"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22759","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22759"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22760","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22760"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22761","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22761"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22763","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22763"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22764","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22764"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2053242","reference_id":"2053242","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2053242"},{"reference_url":"https://security.gentoo.org/glsa/202202-03","reference_id":"GLSA-202202-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202202-03"},{"reference_url":"https://www.mozilla.org/security/advisories/mfsa2022-04/","reference_id":"mfsa2022-04","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:36:47Z/"}],"url":"https://www.mozilla.org/security/advisories/mfsa2022-04/"},{"reference_url":"https://www.mozilla.org/security/advisories/mfsa2022-05/","reference_id":"mfsa2022-05","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:36:47Z/"}],"url":"https://www.mozilla.org/security/advisories/mfsa2022-05/"},{"reference_url":"https://www.mozilla.org/security/advisories/mfsa2022-06/","reference_id":"mfsa2022-06","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:36:47Z/"}],"url":"https://www.mozilla.org/security/advisories/mfsa2022-06/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0510","reference_id":"RHSA-2022:0510","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0510"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0511","reference_id":"RHSA-2022:0511","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0511"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0512","reference_id":"RHSA-2022:0512","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0512"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0513","reference_id":"RHSA-2022:0513","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0513"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0514","reference_id":"RHSA-2022:0514","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0514"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0535","reference_id":"RHSA-2022:0535","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0535"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0536","reference_id":"RHSA-2022:0536","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0536"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0537","reference_id":"RHSA-2022:0537","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0537"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0538","reference_id":"RHSA-2022:0538","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0538"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0539","reference_id":"RHSA-2022:0539","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0539"},{"reference_url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1739957","reference_id":"show_bug.cgi?id=1739957","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:36:47Z/"}],"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1739957"},{"reference_url":"https://usn.ubuntu.com/5284-1/","reference_id":"USN-5284-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5284-1/"},{"reference_url":"https://usn.ubuntu.com/5345-1/","reference_id":"USN-5345-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5345-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/252834?format=json","purl":"pkg:apk/alpine/thunderbird@91.6.0-r0?arch=x86_64&distroversion=v3.17&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/thunderbird@91.6.0-r0%3Farch=x86_64&distroversion=v3.17&reponame=community"}],"aliases":["CVE-2022-22759"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64km-7by4-bkgf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173647?format=json","vulnerability_id":"VCID-xmjf-8t9s-pye2","summary":"Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22764.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22764.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22764","reference_id":"","reference_type":"","scores":[{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67806","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22764"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22754","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22754"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22756","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22756"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22759","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22759"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22760","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22760"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22761","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22761"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22763","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22763"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22764","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22764"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2053243","reference_id":"2053243","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2053243"},{"reference_url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1742682%2C1744165%2C1746545%2C1748210%2C1748279","reference_id":"buglist.cgi?bug_id=1742682%2C1744165%2C1746545%2C1748210%2C1748279","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T14:28:33Z/"}],"url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1742682%2C1744165%2C1746545%2C1748210%2C1748279"},{"reference_url":"https://security.gentoo.org/glsa/202202-03","reference_id":"GLSA-202202-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202202-03"},{"reference_url":"https://www.mozilla.org/security/advisories/mfsa2022-04/","reference_id":"mfsa2022-04","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T14:28:33Z/"}],"url":"https://www.mozilla.org/security/advisories/mfsa2022-04/"},{"reference_url":"https://www.mozilla.org/security/advisories/mfsa2022-05/","reference_id":"mfsa2022-05","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T14:28:33Z/"}],"url":"https://www.mozilla.org/security/advisories/mfsa2022-05/"},{"reference_url":"https://www.mozilla.org/security/advisories/mfsa2022-06/","reference_id":"mfsa2022-06","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-16T14:28:33Z/"}],"url":"https://www.mozilla.org/security/advisories/mfsa2022-06/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0510","reference_id":"RHSA-2022:0510","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0510"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0511","reference_id":"RHSA-2022:0511","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0511"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0512","reference_id":"RHSA-2022:0512","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0512"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0513","reference_id":"RHSA-2022:0513","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0513"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0514","reference_id":"RHSA-2022:0514","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0514"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0535","reference_id":"RHSA-2022:0535","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0535"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0536","reference_id":"RHSA-2022:0536","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0536"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0537","reference_id":"RHSA-2022:0537","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0537"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0538","reference_id":"RHSA-2022:0538","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0538"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0539","reference_id":"RHSA-2022:0539","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0539"},{"reference_url":"https://usn.ubuntu.com/5284-1/","reference_id":"USN-5284-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5284-1/"},{"reference_url":"https://usn.ubuntu.com/5345-1/","reference_id":"USN-5345-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5345-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/252834?format=json","purl":"pkg:apk/alpine/thunderbird@91.6.0-r0?arch=x86_64&distroversion=v3.17&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/thunderbird@91.6.0-r0%3Farch=x86_64&distroversion=v3.17&reponame=community"}],"aliases":["CVE-2022-22764"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xmjf-8t9s-pye2"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/thunderbird@91.6.0-r0%3Farch=x86_64&distroversion=v3.17&reponame=community"}