Mozilla: >> Thunderbird >> 140.3.0 Security Vulnerabilities
Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox < 144 and Thunderbird < 144.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-10-14
Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-10-14
Spoofing issue in the Site Permissions component. This vulnerability affects Firefox < 143 and Thunderbird < 143.
CVSS Score
8.1
EPSS Score
0.001
Published
2025-09-16
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability affects Firefox < 143 and Thunderbird < 143.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-09-16
Mitigation bypass in the Web Compatibility: Tooling component. This vulnerability affects Firefox < 143 and Thunderbird < 143.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-09-16
Same-origin policy bypass in the Layout component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-09-16
Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, performs DNS prefetching of domain names contained in links within local HTML documents, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests. NOTE: the vendor disputes the significance of this issue, stating "I don't think we necessarily need to worry about that case."
CVSS Score
5.0
EPSS Score
0.002
Published
2010-01-29
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVSS Score
9.3
EPSS Score
0.044
Published
2009-12-17
Unspecified vulnerability in the browser engine in Mozilla Firefox before 3.0.16, SeaMonkey before 2.0.1, and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVSS Score
9.3
EPSS Score
0.046
Published
2009-12-17
Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVSS Score
9.3
EPSS Score
0.083
Published
2009-12-17