Mozilla Thunderbird Email client
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Thunderbird.
Recent Mozilla Thunderbird Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-51 | Security Vulnerabilities fixed in Thunderbird 140.11 mfsa2026-51 | May 19, 2026 |
| mfsa2026-50 | Security Vulnerabilities fixed in Thunderbird 151 mfsa2026-50 | May 19, 2026 |
| mfsa2026-43 | Security Vulnerabilities fixed in Thunderbird 150.0.2 mfsa2026-43 | May 8, 2026 |
| mfsa2026-44 | Security Vulnerabilities fixed in Thunderbird 140.10.2 mfsa2026-44 | May 8, 2026 |
| mfsa2026-38 | Security Vulnerabilities fixed in Thunderbird 150.0.1 mfsa2026-38 | April 30, 2026 |
| mfsa2026-39 | Security Vulnerabilities fixed in Thunderbird 140.10.1 mfsa2026-39 | April 30, 2026 |
| mfsa2026-34 | Security Vulnerabilities fixed in Thunderbird 140.10 mfsa2026-34 | April 21, 2026 |
| mfsa2026-33 | Security Vulnerabilities fixed in Thunderbird 150 mfsa2026-33 | April 21, 2026 |
| mfsa2026-28 | Security Vulnerabilities fixed in Thunderbird 149.0.2 mfsa2026-28 | April 7, 2026 |
| mfsa2026-29 | Security Vulnerabilities fixed in Thunderbird 140.9.1 mfsa2026-29 | April 7, 2026 |
By the Year
In 2026 there have been 202 vulnerabilities in Mozilla Thunderbird with an average score of 8.2 out of ten. Last year, in 2025 Thunderbird had 157 security vulnerabilities published. That is, 45 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.59.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 202 | 8.24 |
| 2025 | 157 | 7.65 |
| 2024 | 119 | 7.15 |
| 2023 | 102 | 7.49 |
| 2022 | 116 | 7.56 |
| 2021 | 73 | 7.23 |
| 2020 | 80 | 7.59 |
| 2019 | 62 | 8.21 |
| 2018 | 167 | 8.24 |
It may take a day or so for new Thunderbird vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Thunderbird Security Vulnerabilities
Mozilla Firefox ESR 115.35/140.10/150 Mem Safety Bug (CVE-2026-8975)
CVE-2026-8975
8.8 - High
- May 19, 2026
Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Firefox Memory Safety Bugs 140.10/150: Arbitrary Code Exec Fix in 151
CVE-2026-8974
8.8 - High
- May 19, 2026
Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Mem Saf Bugs in Mozilla Firefox 150
CVE-2026-8973
8.8 - High
- May 19, 2026
Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Buffer Overflow
Firefox WebRTC Audio/Video PE Vulnerability
CVE-2026-8972
8.8 - High
- May 19, 2026
Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Improper Privilege Management
CVE-2026-8971: Same-Origin Policy Bypass in Firefox JAR Component
CVE-2026-8971
6.5 - Medium
- May 19, 2026
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Origin Validation Error
Firefox Privilege Escalation in Security Component before 151/140.11
CVE-2026-8970
8.8 - High
- May 19, 2026
Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Improper Privilege Management
CVE-2026-8969: Mitigation Bypass in DOM Security Component of Firefox
CVE-2026-8969
8.1 - High
- May 19, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Protection Mechanism Failure
Firefox Web Codecs DS via invalid pointer fixed in 151/140.11
CVE-2026-8968
7.5 - High
- May 19, 2026
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Resource Exhaustion
Info Disclosure via WebGPU in Firefox
CVE-2026-8967
7.5 - High
- May 19, 2026
Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Information Disclosure
Information disclosure in Mozilla Firefox IP Protection component
CVE-2026-8966
7.5 - High
- May 19, 2026
Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Information Disclosure
Firefox DOM Info Disclosure (CVE-2026-8965) Fix/Update
CVE-2026-8965
7.5 - High
- May 19, 2026
Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Information Disclosure
Firefox Popup Blocker Spoofing Vulnerability (CVE-2026-8964)
CVE-2026-8964
7.5 - High
- May 19, 2026
Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
User Interface (UI) Misrepresentation of Critical Information
Firefox Web Speech Spoofing Vulnerability
CVE-2026-8963
7.5 - High
- May 19, 2026
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Authentication Bypass by Spoofing
Firefox 151/ESR 140.11 DOM Mitigation Bypass Security Component
CVE-2026-8962
8.1 - High
- May 19, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Protection Mechanism Failure
Firefox Form Autofill Spoofing CVE-2026-8961 (fixed in 151/ESR 140.11)
CVE-2026-8961
6.5 - Medium
- May 19, 2026
Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Authentication Bypass by Spoofing
Firefox 151 WebExt Spoofing Vulnerability
CVE-2026-8960
7.5 - High
- May 19, 2026
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Authentication Bypass by Spoofing
Firefox 151 Win32 Widget Sandbox Escape - Boundary Condition Flaw
CVE-2026-8959
9.6 - Critical
- May 19, 2026
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Firefox 151 Information Disclosure Process Sandbox Escape
CVE-2026-8958
8.6 - High
- May 19, 2026
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Exposure of Resource to Wrong Sphere
Privilege Escalation in Firefox Enterprise Policies (before 151)
CVE-2026-8957
8.8 - High
- May 19, 2026
Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Improper Privilege Management
Integer Overflow in Firefox Networking JAR (150)
CVE-2026-8956
9.8 - Critical
- May 19, 2026
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Integer Overflow or Wraparound
Firefox Workers DOM Privilege Escalation (Pre151)
CVE-2026-8955
8.8 - High
- May 19, 2026
Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Improper Privilege Management
Integer Overflow in Firefox AV Comp (before 151/ESR 140.11)
CVE-2026-8954
7.5 - High
- May 19, 2026
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Firefox Sandbox Escape via Use-After-Free in Disability Access APIs (before 151)
CVE-2026-8953
9.6 - Critical
- May 19, 2026
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Dangling pointer
Firefox PrivEsc via Application Update component CVE-2026-8952
CVE-2026-8952
8.8 - High
- May 19, 2026
Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Improper Privilege Management
Same-origin policy bypass in Firefox Networking:HTTP component before 151
CVE-2026-8950
9.3 - Critical
- May 19, 2026
Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Origin Validation Error
Firefox 151 Integer Overflow in Widget: Win32 Component (pre-151)
CVE-2026-8949
7.5 - High
- May 19, 2026
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Integer Overflow or Wraparound
CVE-2026-8948: Same-origin policy bypass in Firefox DOM networking
CVE-2026-8948
9.1 - Critical
- May 19, 2026
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Permissive Cross-domain Policy with Untrusted Domains
Use-After-Free in WebIDL Bindings (Firefox <151)
CVE-2026-8947
7.3 - High
- May 19, 2026
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Dangling pointer
Firefox Web Codecs Incorrect Boundary Conditions <151 (ESR 115/140)
CVE-2026-8946
7.5 - High
- May 19, 2026
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Firefox 150.0.3 Sandbox Escape in Profile Backup (Fixed)
CVE-2026-8401
9.8 - Critical
- May 12, 2026
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
Protection Mechanism Failure
JavaScript Engine flaw in Firefox 150.0.3 (fixed)
CVE-2026-8391
5.3 - Medium
- May 12, 2026
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
Improper Input Validation
Firefox 150 JIT Boundary Condition Vulnerability in JS Engine
CVE-2026-8388
6.5 - Medium
- May 12, 2026
Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
Buffer Overflow
Firefox ESR 140.10.2 WebRTC Vulnerability
CVE-2026-8094
9.8 - Critical
- May 07, 2026
Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.
Code Injection
Firefox 150.0.1 Memcor bugs may allow arbitrary code execution
CVE-2026-8093
8.1 - High
- May 07, 2026
Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2.
Buffer Overflow
Firefox 115.35.1/140.10.1/150.0.1 Memory Safety Bug
CVE-2026-8092
8.1 - High
- May 07, 2026
Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
Out-of-bounds Read
Firefox ESR AV Playback boundary flaw before 140.10.2
CVE-2026-8091
9.8 - Critical
- May 07, 2026
Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
Improper Check for Unusual or Exceptional Conditions
Use-after-free in Firefox DOM Networking pre-150.0.2
CVE-2026-8090
7.3 - High
- May 07, 2026
Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
Dangling pointer
Firefox Sandbox Escape in WebRTC Networking before ESR 140.10.1
CVE-2026-7321
9.6 - Critical
- April 28, 2026
Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.
Classic Buffer Overflow
Memory safety bugs in Firefox 150.0.0 (fixed 150.0.1)
CVE-2026-7324
7.3 - High
- April 28, 2026
Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.
Buffer Overflow
Memory Safety Bug in Firefox ESR 140.10.0 & Thunderbird 140.10.0
CVE-2026-7323
7.3 - High
- April 28, 2026
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Buffer Overflow
Memory safety bugs in Firefox ESR 115.35.0/140.10.0 & 150.0.0 (fixed 150.0.1)
CVE-2026-7322
7.3 - High
- April 28, 2026
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Buffer Overflow
Firefox Audio/Video Boundary Bug Info Disclosure (fixed in 150.0.1)
CVE-2026-7320
7.5 - High
- April 28, 2026
Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Buffer Overflow
Firefox 149 / ESR 140.9 Memory Safety Bugs (Arbitrary Code Exec)
CVE-2026-6786
7.5 - High
- April 21, 2026
Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Dangling pointer
Mozilla Firefox Memory Safety Bug (ESR 115.34, 115.35, ESR 140.9/140.10, 149)
CVE-2026-6785
7.5 - High
- April 21, 2026
Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Out-of-bounds Read
Memory Safety Bugs in Firefox 149 & Thunderbird 149
CVE-2026-6784
7.5 - High
- April 21, 2026
Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Out-of-bounds Read
Firefox 150 AV Playback CVE20266783 Integer Overflow
CVE-2026-6783
5.3 - Medium
- April 21, 2026
Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Integer Overflow or Wraparound
Info Disclosure via Firefox IP Protection Component
CVE-2026-6782
7.5 - High
- April 21, 2026
Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Information Disclosure
DoS in Firefox AV Playback Component (CVE-2026-6781)
CVE-2026-6781
7.5 - High
- April 21, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Resource Exhaustion
Firefox A/V Playback DoS Vulnerability
CVE-2026-6780
7.5 - High
- April 21, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Resource Exhaustion
Mozilla Firefox JS Engine CVE-2026-6779 (Other issue)
CVE-2026-6779
5.3 - Medium
- April 21, 2026
Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Buffer Overflow
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Thunderbird or by Mozilla? Click the Watch button to subscribe.
