Vulnerabilities
Vulnerable Software
Mozilla:  >> Thunderbird  >> 140.3.0  Security Vulnerabilities
There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-10-14
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVSS Score
6.1
EPSS Score
0.003
Published
2025-10-14
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVSS Score
8.1
EPSS Score
0.003
Published
2025-10-14
Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-10-14
Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-10-14
Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.
CVSS Score
6.5
EPSS Score
0.002
Published
2025-10-14
Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
CVSS Score
9.8
EPSS Score
0.005
Published
2025-10-14
Spoofing issue in the Site Permissions component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.
CVSS Score
8.1
EPSS Score
0.003
Published
2025-09-16
Spoofing issue in the WebAuthn component in Firefox for Android. This vulnerability was fixed in Firefox 143 and Thunderbird 143.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-09-16
Mitigation bypass in the Web Compatibility: Tooling component. This vulnerability was fixed in Firefox 143 and Thunderbird 143.
CVSS Score
5.4
EPSS Score
0.003
Published
2025-09-16


Contact Us

Shodan ® - All rights reserved