Mozilla Thunderbird Email client
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Thunderbird.
Recent Mozilla Thunderbird Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-04 | Security Vulnerabilities fixed in Thunderbird 147 mfsa2026-04 | January 13, 2026 |
| mfsa2026-05 | Security Vulnerabilities fixed in Thunderbird 140.7 mfsa2026-05 | January 13, 2026 |
| mfsa2025-95 | Security Vulnerabilities fixed in Thunderbird 146 mfsa2025-95 | December 9, 2025 |
| mfsa2025-96 | Security Vulnerabilities fixed in Thunderbird 140.6 mfsa2025-96 | December 9, 2025 |
| mfsa2025-90 | Security Vulnerabilities fixed in Thunderbird 145 mfsa2025-90 | November 13, 2025 |
| mfsa2025-91 | Security Vulnerabilities fixed in Thunderbird 140.5 mfsa2025-91 | November 12, 2025 |
| mfsa2025-85 | Security Vulnerabilities fixed in Thunderbird 140.4 mfsa2025-85 | October 14, 2025 |
| mfsa2025-84 | Security Vulnerabilities fixed in Thunderbird 144 mfsa2025-84 | October 14, 2025 |
| mfsa2025-77 | Security Vulnerabilities fixed in Thunderbird 143 mfsa2025-77 | September 16, 2025 |
| mfsa2025-78 | Security Vulnerabilities fixed in Thunderbird 140.3 mfsa2025-78 | September 16, 2025 |
By the Year
In 2026 there have been 16 vulnerabilities in Mozilla Thunderbird with an average score of 7.6 out of ten. Last year, in 2025 Thunderbird had 157 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Thunderbird in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.12
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 16 | 7.55 |
| 2025 | 157 | 7.67 |
| 2024 | 119 | 7.20 |
| 2023 | 102 | 7.49 |
| 2022 | 116 | 7.56 |
| 2021 | 73 | 7.23 |
| 2020 | 76 | 7.61 |
| 2019 | 58 | 8.35 |
| 2018 | 77 | 8.54 |
It may take a day or so for new Thunderbird vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Thunderbird Security Vulnerabilities
Memory safety bugs present in Firefox 146 and Thunderbird 146
CVE-2026-0892
9.8 - Critical
- January 13, 2026
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Buffer Overflow
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
CVE-2026-0891
8.1 - High
- January 13, 2026
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component
CVE-2026-0890
5.4 - Medium
- January 13, 2026
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Authentication Bypass by Spoofing
Denial-of-service in the DOM: Service Workers component
CVE-2026-0889
7.5 - High
- January 13, 2026
Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Resource Exhaustion
Information disclosure in the XML component
CVE-2026-0888
5.3 - Medium
- January 13, 2026
Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Information Disclosure
Clickjacking issue, information disclosure in the PDF Viewer component
CVE-2026-0887
4.3 - Medium
- January 13, 2026
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Incorrect boundary conditions in the Graphics component
CVE-2026-0886
5.3 - Medium
- January 13, 2026
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Use-after-free in the JavaScript: GC component
CVE-2026-0885
6.5 - Medium
- January 13, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Use-after-free in the JavaScript Engine component
CVE-2026-0884
9.8 - Critical
- January 13, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Information disclosure in the Networking component
CVE-2026-0883
5.3 - Medium
- January 13, 2026
Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Information Disclosure
Use-after-free in the IPC component
CVE-2026-0882
8.8 - High
- January 13, 2026
Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Sandbox escape in the Messaging System component
CVE-2026-0881
10 - Critical
- January 13, 2026
Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
Protection Mechanism Failure
Sandbox escape due to integer overflow in the Graphics component
CVE-2026-0880
8.8 - High
- January 13, 2026
Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Integer Overflow or Wraparound
Sandbox escape due to incorrect boundary conditions in the Graphics component
CVE-2026-0879
9.8 - Critical
- January 13, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
CVE-2026-0878
8 - High
- January 13, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Mitigation bypass in the DOM: Security component
CVE-2026-0877
8.1 - High
- January 13, 2026
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Protection Mechanism Failure
Firefox/Thunderbird Memory Corruption CVE-2025-14333 (ESR<140.6, <=145)
CVE-2025-14333
8.1 - High
- December 09, 2025
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Buffer Overflow
CVE-2025-14332: Memory Safety Bugs in Firefox 145 Enable Arbitrary Exec
CVE-2025-14332
7.3 - High
- December 09, 2025
Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146 and Thunderbird < 146.
Memory Corruption
Firefox Same-Origin Policy Bypass in Request Handler <146
CVE-2025-14331
6.5 - Medium
- December 09, 2025
Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Origin Validation Error
Firefox JIT Miscompilation in JavaScript Engine (<= 145, ESR < 140.6)
CVE-2025-14330
9.8 - Critical
- December 09, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Function Call With Incorrect Argument Type
Firefox Netmonitor PrivEsc <146, ESR<140.6
CVE-2025-14329
8.8 - High
- December 09, 2025
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Privilege Escalation in Netmonitor (Firefox <146 / ESR<140.6)
CVE-2025-14328
8.8 - High
- December 09, 2025
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
CVE-2025-14327: Spoofing in Firefox Downloads Panel (v <146)
CVE-2025-14327
7.5 - High
- December 09, 2025
Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7.
Authentication Bypass by Spoofing
UA-Firefox-GMP UAF CVE-2025-14326
CVE-2025-14326
9.8 - Critical
- December 09, 2025
Use-after-free in the Audio/Video: GMP component. This vulnerability affects Firefox < 146 and Thunderbird < 146.
Dangling pointer
Firefox JIT Miscompilation (JS) <146/ESR<140.6
CVE-2025-14325
7.3 - High
- December 09, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Object Type Confusion
Mozilla Firefox JIT Miscompilation (JS Engine) before v146, ESR <115.31/140.6
CVE-2025-14324
9.8 - Critical
- December 09, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Code Injection
Firefox <146 PrivEsc via DOM Notifications
CVE-2025-14323
8.8 - High
- December 09, 2025
Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Firefox Sandbox Escape via CanvasWebGL before v146 (ESR <115.31,140.6)
CVE-2025-14322
8 - High
- December 09, 2025
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Improper Check for Unusual or Exceptional Conditions
Use-after-free in WebRTC Signaling: Firefox <146, ESR <140.6
CVE-2025-14321
9.8 - Critical
- December 09, 2025
Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Dangling pointer
Mozilla Firefox memory corruption bug (CVE-2025-13027)
CVE-2025-13027
8.1 - High
- November 11, 2025
Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Buffer Overflow
Firefox WebRTC Audio/Video UAF CVE-2025-13020 (<=145, ESR<140.5)
CVE-2025-13020
8.8 - High
- November 11, 2025
Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Dangling pointer
Firefox Workers DOM Same-origin policy bypass before 145
CVE-2025-13019
8.1 - High
- November 11, 2025
Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Permissive Cross-domain Policy with Untrusted Domains
Firefox WebGPU Sandbox Escape via Boundary Check Flaw
CVE-2025-13026
9.8 - Critical
- November 11, 2025
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Firefox <145, ESR<140.5: DOM Mitigation Bypass in Security Component
CVE-2025-13018
8.1 - High
- November 11, 2025
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Authentication Bypass Using an Alternate Path or Channel
Same-Origin Policy Bypass in Firefox Notifications <145
CVE-2025-13017
8.1 - High
- November 11, 2025
Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Permissive Cross-domain Policy with Untrusted Domains
Firefox WebGPU Incorrect Boundary Conditions (CVE-2025-13025)
CVE-2025-13025
7.5 - High
- November 11, 2025
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Incorrect Default Permissions
Firefox JIT miscompilation (CVE-2025-13024)
CVE-2025-13024
9.8 - Critical
- November 11, 2025
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Compiler Optimization Removal or Modification of Security-critical Code
Firefox WebGPU Sandbox Escape via Boundary Check Failure
CVE-2025-13023
9.8 - Critical
- November 11, 2025
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Firefox WebGPU Boundary Condition Exploit CVE-2025-13022
CVE-2025-13022
9.8 - Critical
- November 11, 2025
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Incorrect boundary conditions in Firefox WebAssembly before v145 / ESR140.5
CVE-2025-13016
7.5 - High
- November 11, 2025
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Improper Check or Handling of Exceptional Conditions
Firefox WebGPU Boundary Condition Failure (CVE-2025-13021)
CVE-2025-13021
9.8 - Critical
- November 11, 2025
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
Improper Check or Handling of Exceptional Conditions
Firefox Spoofing Vulnerability (145, ESR140.5/115.30)
CVE-2025-13015
3.4 - Low
- November 11, 2025
Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Authentication Bypass by Spoofing
UAF in Firefox AV before 145 (ESR <140.5/115.30)
CVE-2025-13014
8.8 - High
- November 11, 2025
Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Dangling pointer
Firefox DOM Mitigation Bypass v<145/ESR<140.5
CVE-2025-13013
6.1 - Medium
- November 11, 2025
Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Authentication Bypass Using an Alternate Path or Channel
Firefox Graphics Race Condition <v145 (ESR<140.5/115.30)
CVE-2025-13012
7.5 - High
- November 11, 2025
Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
Race Condition
Firefox Sandbox iframe Links Open External App on Android
CVE-2025-11716
6.5 - Medium
- October 14, 2025
Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox < 144 and Thunderbird < 144.
Authorization
Memory Safety Bug in Mozilla Firefox & Thunderbird <144 (CVE-2025-11721)
CVE-2025-11721
9.8 - Critical
- October 14, 2025
Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144 and Thunderbird < 144.
Buffer Overflow
CVE-2025-11719: Firefox UAF Crash via Web Extensions Native Messaging (Windows)
CVE-2025-11719
9.8 - Critical
- October 14, 2025
Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability affects Firefox < 144 and Thunderbird < 144.
Dangling pointer
Firefox & Thunderbird < 144 XSS via OBJECT type override
CVE-2025-11712
6.1 - Medium
- October 14, 2025
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
Output Sanitization
Firefox & Thunderbird <=144: Copy as cURL insufficient escaping on Windows
CVE-2025-11713
8.1 - High
- October 14, 2025
Insufficient escaping in the Copy as cURL feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
Output Sanitization
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Thunderbird or by Mozilla? Click the Watch button to subscribe.
