Mozilla Thunderbird Email client
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Thunderbird.
Recent Mozilla Thunderbird Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-16 | Security Vulnerabilities fixed in Thunderbird 148 mfsa2026-16 | February 24, 2026 |
| mfsa2026-17 | Security Vulnerabilities fixed in Thunderbird 140.8 mfsa2026-17 | February 24, 2026 |
| mfsa2026-11 | Security Vulnerabilities fixed in Thunderbird 147.0.2 and 140.7.2 mfsa2026-11 | February 16, 2026 |
| mfsa2026-08 | Security Vulnerabilities fixed in Thunderbird 140.7.1 mfsa2026-08 | January 27, 2026 |
| mfsa2026-07 | Security Vulnerabilities fixed in Thunderbird 147.0.1 mfsa2026-07 | January 27, 2026 |
| mfsa2026-04 | Security Vulnerabilities fixed in Thunderbird 147 mfsa2026-04 | January 13, 2026 |
| mfsa2026-05 | Security Vulnerabilities fixed in Thunderbird 140.7 mfsa2026-05 | January 13, 2026 |
| mfsa2025-95 | Security Vulnerabilities fixed in Thunderbird 146 mfsa2025-95 | December 9, 2025 |
| mfsa2025-96 | Security Vulnerabilities fixed in Thunderbird 140.6 mfsa2025-96 | December 9, 2025 |
| mfsa2025-90 | Security Vulnerabilities fixed in Thunderbird 145 mfsa2025-90 | November 13, 2025 |
By the Year
In 2026 there have been 61 vulnerabilities in Mozilla Thunderbird with an average score of 8.8 out of ten. Last year, in 2025 Thunderbird had 157 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Thunderbird in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.10.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 61 | 8.77 |
| 2025 | 157 | 7.66 |
| 2024 | 119 | 7.19 |
| 2023 | 102 | 7.49 |
| 2022 | 116 | 7.56 |
| 2021 | 73 | 7.23 |
| 2020 | 80 | 7.59 |
| 2019 | 62 | 8.21 |
| 2018 | 167 | 8.24 |
It may take a day or so for new Thunderbird vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Thunderbird Security Vulnerabilities
Memory Safety Bugs in Firefox 147 (CVE20262807)
CVE-2026-2807
9.8 - Critical
- February 24, 2026
Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Memory Corruption
Invalid pointer DOM Core & HTML in Firefox <148
CVE-2026-2805
9.8 - Critical
- February 24, 2026
Invalid pointer in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Access of Uninitialized Pointer
Firefox Graphics Text Uninit Memory (CVE-2026-2806)
CVE-2026-2806
9.1 - Critical
- February 24, 2026
Uninitialized memory in the Graphics: Text component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Use of Uninitialized Variable
Use-after-Free in Firefox WebAssembly JS Engine
CVE-2026-2804
5.4 - Medium
- February 24, 2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Firefox <148 WAsm Boundary Condition Vulnerability
CVE-2026-2801
7.5 - High
- February 24, 2026
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Improper Check for Unusual or Exceptional Conditions
Firefox <148: UAF in DOM Core/HTML
CVE-2026-2799
8.8 - High
- February 24, 2026
Use-after-free in the DOM: Core & HTML component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Firefox Android WebAuthn Spoofing CVE
CVE-2026-2800
9.8 - Critical
- February 24, 2026
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Authentication Bypass by Spoofing
Firefox WebAssembly JIT Miscompilation CVE-2026-2796
CVE-2026-2796
9.8 - Critical
- February 24, 2026
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Object Type Confusion
Firefox JavaScript GC UAF (CVE20262797)
CVE-2026-2797
8.8 - High
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Use-after-free in JS GC (Firefox <148)
CVE-2026-2795
8.8 - High
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
Dangling pointer
Memory Safety Bug in Firefox ESR <115.33/140.8; <148 for FF/Thunderbird
CVE-2026-2793
9.8 - Critical
- February 24, 2026
Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Memory Corruption
Memory Safety Bugs in Firefox 147 & ESR 140.7, Thunderbird 147 & ESR 140.7
CVE-2026-2792
9.8 - Critical
- February 24, 2026
Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Memory Corruption
Firefox <148 / ESR<140.8: Networking Cache Mitigation Bypass
CVE-2026-2791
9.8 - Critical
- February 24, 2026
Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Authentication Bypass Using an Alternate Path or Channel
Use-after-free in Graphics ImageLib of Firefox <148 (ESR <115.33/140.8)
CVE-2026-2789
8.8 - High
- February 24, 2026
Use-after-free in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
UAF in Firefox DOM Window/Location before v148
CVE-2026-2787
8.8 - High
- February 24, 2026
Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <148 Boundary Condition Flaw in Audio/Video GMP
CVE-2026-2788
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Use-after-free in Firefox JS Engine (before 148)
CVE-2026-2786
8.8 - High
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Firefox <148/ESR<140.8: Invalid Pointer in JS Engine
CVE-2026-2785
8.8 - High
- February 24, 2026
Invalid pointer in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Access of Uninitialized Pointer
Firefox <148 & ESR<140.8: DOM Mitigation Bypass in Security Component
CVE-2026-2784
9.8 - Critical
- February 24, 2026
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Authentication Bypass Using an Alternate Path or Channel
Firefox Netmonitor Privilege Escalation (v<148/ESR<140.8)
CVE-2026-2782
8.8 - High
- February 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Improper Privilege Management
Firefox Netmonitor PrivEsc pre-148 ESR<140.8
CVE-2026-2780
8.8 - High
- February 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Improper Privilege Management
Firefox JAR Boundary Flaw (pre-148, ESR <140.8)
CVE-2026-2779
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Firefox sandbox escape via DOM boundary conditions <148
CVE-2026-2778
10 - Critical
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Privilege Escalation in Firefox MessagingSystem <148 (ESR <115.33,140.8)
CVE-2026-2777
9.8 - Critical
- February 24, 2026
Privilege escalation in the Messaging System component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Improper Privilege Management
Sandbox escape CVE-2026-2776 in Firefox <148 via Telemetry boundary
CVE-2026-2776
10 - Critical
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Firefox HTMLParser Mitigation Bypass before v148 (ESR <115.33/140.8)
CVE-2026-2775
9.8 - Critical
- February 24, 2026
Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Authentication Bypass Using an Alternate Path or Channel
Firefox Audio/Video Component Integer Overflow (FF<148, ESR<115.33)
CVE-2026-2774
8.8 - High
- February 24, 2026
Integer overflow in the Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Integer Overflow or Wraparound
Firefox WebAudio Wrong boundary flaw before v148
CVE-2026-2773
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Buffer Overflow
Firefox <148 / ESR <115.33, <140.8 Undefined Behavior in DOM (CVE2026-2771)
CVE-2026-2771
- February 24, 2026
Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
UAF in Firefox <148 AV Playback component
CVE-2026-2772
8.8 - High
- February 24, 2026
Use-after-free in the Audio/Video: Playback component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Use-after-free in Firefox DOM Bindings (WebIDL) < v148
CVE-2026-2770
8.8 - High
- February 24, 2026
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Use-after-free in Firefox IndexedDB before v148
CVE-2026-2769
8.8 - High
- February 24, 2026
Use-after-free in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <=148 IndexedDB sandbox escape
CVE-2026-2768
10 - Critical
- February 24, 2026
Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Protection Mechanism Failure
Useafterfree in Firefox JavaScript Engine JIT <148/ESR 140.8
CVE-2026-2766
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Use-after-free in Firefox JS Engine (before 148, ESR<140.8)
CVE-2026-2765
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <148 JIT Miscompilation UAF in JS Engine
CVE-2026-2764
9.8 - Critical
- February 24, 2026
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
UAF in Firefox JavaScript Engine < v148 & ESR 115.33
CVE-2026-2763
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Integer Overflow in Firefox JS Std Lib <148 (ESR<140.8)
CVE-2026-2762
9.8 - Critical
- February 24, 2026
Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Integer Overflow or Wraparound
Firefox Sandbox Escape via WebRender (148, ESR 115.33)
CVE-2026-2761
10 - Critical
- February 24, 2026
Sandbox escape in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Protection Mechanism Failure
Firefox Sandbox Escape in WebRender before 148 / ESR 115.33 / 140.8
CVE-2026-2760
10 - Critical
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
1384
Firefox <148 UAF in JS GC
CVE-2026-2758
9.8 - Critical
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Dangling pointer
Firefox <148 ImgLib Boundary Condition Vulnerability
CVE-2026-2759
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
1384
Firefox <148 Boundary Condition Bug in WebRTC AV
CVE-2026-2757
9.8 - Critical
- February 24, 2026
Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
1384
Firefox < 147.0.4 Heap Buffer Overflow via libvpx
CVE-2026-2447
8.8 - High
- February 16, 2026
Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.
Heap-based Buffer Overflow
Thunderbird <147.0.1 Vulnerable to CSS Leak via Decrypted OpenPGP Messages
CVE-2026-0818
4.3 - Medium
- January 28, 2026
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1.
Information Disclosure
Mem safety bug in Firefox & Thunderbird enabling arbitrary code exec
CVE-2026-0892
9.8 - Critical
- January 13, 2026
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Buffer Overflow
Firefox/Thunderbird Spoofing via Copy&Paste Drag&Drop (pre-147/140.7)
CVE-2026-0890
5.4 - Medium
- January 13, 2026
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Authentication Bypass by Spoofing
Firefox/Thunderbird DoS via Service Workers DOM
CVE-2026-0889
7.5 - High
- January 13, 2026
Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Resource Exhaustion
Memory Safety Bugs in Firefox 146 & Thunderbird 146
CVE-2026-0891
8.1 - High
- January 13, 2026
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Firefox & Thunderbird XML Component Info Disclosure CVE-2026-0888
CVE-2026-0888
5.3 - Medium
- January 13, 2026
Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Thunderbird or by Mozilla? Click the Watch button to subscribe.
