Security Vulnerabilities fixed in Thunderbird 147.0.2 and 140.7.2 — Mozilla

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. CVE-2026-2447: Heap buffer overflow in libvpx Reporter jayjayjazz Impact high References Bug 2014390...

PT-2026-7066

Name of the Vulnerable Software and Affected Versions jsonpath affected versions not specified Description The package jsonpath is susceptible to Arbitrary Code Injection due to unsafe evaluation of user-supplied JSON Path expressions. The library utilizes the static-eval module to process JSON...

FreeBSD : Mozilla -- Incorrect boundary conditions (f60c790a-a394-11f0-9617-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the f60c790a-a394-11f0-9617-b42e991fc52e advisory. [email protected] reports: The vulnerability has been assessed to have moderate impact on affected...

Mozilla -- mitigation bypass vulnerability

[email protected] reports: The vulnerability has been rated as having moderate impact, affecting both confidentiality and integrity with low severity, while having no impact on availability. For Thunderbird specifically, the vulnerability cannot be exploited through email as scripting is...

Mozilla -- Incorrect boundary conditions

[email protected] reports: The vulnerability has been assessed to have moderate impact on affected systems, potentially allowing attackers to exploit incorrect boundary conditions in the JavaScript Garbage Collection component. In Thunderbird specifically, these flaws cannot be exploited throu...

GHSA-4X49-VF9V-38PX [email protected] contains malware after npm account takeover

Impact On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own...

CVE-2025-59140 [email protected] contains malware after npm account takeover

backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect...

CVE-2020-6800

Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. In general, these flaws...

CVE-2020-6800

Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. In general, these flaws...

Security update for MozillaThunderbird (important)

This update for MozillaThunderbird to version 60.0 fixes the following issues: These security issues were fixed: - CVE-2018-12359: Prevent buffer overflow using computed size of canvas element bsc1098998. - CVE-2018-12360: Prevent use-after-free when using focus bsc1098998. - CVE-2018-12361:...