Mozilla Thunderbird Email client
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Thunderbird.
Recent Mozilla Thunderbird Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-61 | Security Vulnerabilities fixed in Thunderbird 140.12 mfsa2026-61 | June 16, 2026 |
| mfsa2026-60 | Security Vulnerabilities fixed in Thunderbird 152 mfsa2026-60 | June 16, 2026 |
| mfsa2026-51 | Security Vulnerabilities fixed in Thunderbird 140.11 mfsa2026-51 | May 19, 2026 |
| mfsa2026-50 | Security Vulnerabilities fixed in Thunderbird 151 mfsa2026-50 | May 19, 2026 |
| mfsa2026-43 | Security Vulnerabilities fixed in Thunderbird 150.0.2 mfsa2026-43 | May 8, 2026 |
| mfsa2026-44 | Security Vulnerabilities fixed in Thunderbird 140.10.2 mfsa2026-44 | May 8, 2026 |
| mfsa2026-38 | Security Vulnerabilities fixed in Thunderbird 150.0.1 mfsa2026-38 | April 30, 2026 |
| mfsa2026-39 | Security Vulnerabilities fixed in Thunderbird 140.10.1 mfsa2026-39 | April 30, 2026 |
| mfsa2026-34 | Security Vulnerabilities fixed in Thunderbird 140.10 mfsa2026-34 | April 21, 2026 |
| mfsa2026-33 | Security Vulnerabilities fixed in Thunderbird 150 mfsa2026-33 | April 21, 2026 |
By the Year
In 2026 there have been 244 vulnerabilities in Mozilla Thunderbird with an average score of 8.0 out of ten. Last year, in 2025 Thunderbird had 157 security vulnerabilities published. That is, 87 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.37.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 244 | 8.03 |
| 2025 | 157 | 7.65 |
| 2024 | 119 | 7.15 |
| 2023 | 102 | 7.49 |
| 2022 | 116 | 7.56 |
| 2021 | 73 | 7.23 |
| 2020 | 80 | 7.59 |
| 2019 | 62 | 8.21 |
| 2018 | 167 | 8.24 |
It may take a day or so for new Thunderbird vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Thunderbird Security Vulnerabilities
Firefox ESR 115.37/140.12: I18N Boundary Condition Flaw
CVE-2026-12330
5.4 - Medium
- June 16, 2026
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12.
Buffer Overflow
CVE-2026-12329: Firefox ESR 140.12 Memory Safety Bug
CVE-2026-12329
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.
Buffer Overflow
Firefox ESR 115.36115.37, ESR 140.11140.12 & 151 Memory Corruption (Arbitrary Code)
CVE-2026-12328
8.1 - High
- June 16, 2026
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Classic Buffer Overflow
MemorySafety Bugs in Firefox 151 & Thunderbird 151, Fixed in 152
CVE-2026-12327
8.1 - High
- June 16, 2026
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory Corruption in Firefox/Thunderbird 151 Enables RCE
CVE-2026-12326
8.1 - High
- June 16, 2026
Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
DoS via ImageLib in Firefox 152 & ESR 140.12/115.37 (fixed)
CVE-2026-12325
6.5 - Medium
- June 16, 2026
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Resource Exhaustion
Graphics: CanvasWebGL Boundary Condition Vulnerability in Firefox <152
CVE-2026-12324
7.3 - High
- June 16, 2026
Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Improper Check or Handling of Exceptional Conditions
Firefox DOM: Core & HTML Spoofing Vulnerability (CVE-2026-12323)
CVE-2026-12323
5.4 - Medium
- June 16, 2026
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Clickjacking
Clickjacking via Firefox GTK Widget
CVE-2026-12322
5.4 - Medium
- June 16, 2026
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Clickjacking
Firefox JIT miscompilation in JS WebAssembly component (CVE-2026-12321)
CVE-2026-12321
5.4 - Medium
- June 16, 2026
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Always-Incorrect Control Flow Implementation
Info Disclosure in FF Password Manager
CVE-2026-12320
4.3 - Medium
- June 16, 2026
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Information Disclosure
DoS via Audio/Video Playback in Firefox 152 (Mozilla)
CVE-2026-12319
6.5 - Medium
- June 16, 2026
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Resource Exhaustion
Moz NSS: Boundary Condition Flaw in Libraries Component
CVE-2026-12318
7.3 - High
- June 16, 2026
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
Memory Safety Vulnerability in Firefox 152
CVE-2026-12317
7.5 - High
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
DOM Mitigation Bypass in Firefox Security Component
CVE-2026-12316
9.1 - Critical
- June 16, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Protection Mechanism Failure
Firefox 152 DOM Mitigation Bypass in Security Component
CVE-2026-12315
9.1 - Critical
- June 16, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
Firefox Memory Safety Bug - Fixed in v152, ESR 140.12
CVE-2026-12314
7.5 - High
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
CVE-2026-12313: Info Disclosure via Sandbox Escape in Process Sandboxing (Pre-152)
CVE-2026-12313
4.7 - Medium
- June 16, 2026
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Improper Privilege Management
Firefox 152: Memory Safety Bug Fixed ESR 140.12 Update
CVE-2026-12312
7.5 - High
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Firefox 152/140.12 Process Sandboxing Disclosure & Sandbox Escape
CVE-2026-12311
4.7 - Medium
- June 16, 2026
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Function Call With Incorrect Variable or Reference as Argument
Firefox 152 Memory Safety Bug (CVE-2026-12310)
CVE-2026-12310
7.5 - High
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory safety bug in Firefox <152, fixed in 152 & ESR 140.12
CVE-2026-12309
6.5 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory safety bug in Firefox before 152 (ESR 140.12)
CVE-2026-12308
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
CVE-2026-12307: Memory safety bug in Firefox <152 (ESR 140.12) fixed
CVE-2026-12307
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Firefox 152 MemSafe Bug Fixed
CVE-2026-12306
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Memory safety bug before Firefox 152, fixed in 152 & ESR 140.12
CVE-2026-12305
7.5 - High
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Same-origin Policy Bypass in Firefox Networking:Cookies (before FF 152)
CVE-2026-12304
9.1 - Critical
- June 16, 2026
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Origin Validation Error
CVE-2026-12303 Info Disclosure via WebGPU Boundary Conditions in Firefox
CVE-2026-12303
4.3 - Medium
- June 16, 2026
Information disclosure due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Out-of-bounds Read
Firefox Mitigation Bypass in DOM Component before 152 / ESR 140.12 / 115.37
CVE-2026-12302
6.5 - Medium
- June 16, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
Firefox 152 Memory Safety Vulnerability
CVE-2026-12301
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
Firefox mem safety bug CVE-2026-12300 fixed in v152
CVE-2026-12300
5.3 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Buffer Overflow
Firefox JIT Miscompilation in DOM Core & HTML (before 152, ESR 140.12, 115.37)
CVE-2026-12299
5.4 - Medium
- June 16, 2026
JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Object Type Confusion
Memory safety bug in Firefox before 152 (fixed in 152)
CVE-2026-12298
5.4 - Medium
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Out-of-bounds Read
Firefox Sandbox Escape (Networking Boundary, pre-152)
CVE-2026-12297
9.6 - Critical
- June 16, 2026
Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Firefox 152 Sandbox Escape in Process Sandboxing Component
CVE-2026-12296
9.6 - Critical
- June 16, 2026
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
Sandbox Esc. in DOM Nav. - Firefox <152 (ESR 140.12/115.37)
CVE-2026-12295
9.6 - Critical
- June 16, 2026
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
Firefox Sandbox Escape via DOM Workers (pre-152, ESR 140.12, ESR 115.37)
CVE-2026-12294
9.6 - Critical
- June 16, 2026
Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Protection Mechanism Failure
UAF in Firefox 152 WebGPU
CVE-2026-12293
9.8 - Critical
- June 16, 2026
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Dangling pointer
CVE-2026-12292: Firefox Web Audio boundary flaw (v<152)
CVE-2026-12292
8.1 - High
- June 16, 2026
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Use-after-free in Firefox Networking HTTP before 152
CVE-2026-12291
8.8 - High
- June 16, 2026
Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Dangling pointer
Firefox Memory Safety bug fixed in 152 ESR 140.12/115.37
CVE-2026-12290
8.1 - High
- June 16, 2026
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Buffer Overflow
Firefox WebRender Privilege Escalation before 152
CVE-2026-12289
8.8 - High
- June 16, 2026
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Improper Privilege Management
Mozilla Firefox ESR 115.35/140.10/150 Mem Safety Bug (CVE-2026-8975)
CVE-2026-8975
8.8 - High
- May 19, 2026
Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Firefox Memory Safety Bugs 140.10/150: Arbitrary Code Exec Fix in 151
CVE-2026-8974
8.8 - High
- May 19, 2026
Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Buffer Overflow
Mem Saf Bugs in Mozilla Firefox 150
CVE-2026-8973
8.8 - High
- May 19, 2026
Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Buffer Overflow
Firefox WebRTC Audio/Video PE Vulnerability
CVE-2026-8972
8.8 - High
- May 19, 2026
Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Improper Privilege Management
CVE-2026-8971: Same-Origin Policy Bypass in Firefox JAR Component
CVE-2026-8971
6.5 - Medium
- May 19, 2026
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Origin Validation Error
Firefox Privilege Escalation in Security Component before 151/140.11
CVE-2026-8970
8.8 - High
- May 19, 2026
Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Improper Privilege Management
CVE-2026-8969: Mitigation Bypass in DOM Security Component of Firefox
CVE-2026-8969
8.1 - High
- May 19, 2026
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Protection Mechanism Failure
Firefox Web Codecs DS via invalid pointer fixed in 151/140.11
CVE-2026-8968
7.5 - High
- May 19, 2026
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Thunderbird or by Mozilla? Click the Watch button to subscribe.
