CVE-2025-3909 JavaScript Execution via Spoofed PDF Attachment and file:/// Link

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...

CVE-2025-3909

Thunderbird (email client) is affected by CVE-2025-3909 via the X-Mozilla-External-Attachment-URL header. An attacker could craft a nested message/rfc822 attachment with content type application/pdf, causing Thunderbird to render it as HTML and execute JavaScript in the file:/// context after aut...

CVE-2025-3597

The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free versi...

PT-2025-21163 · Netgate · Pfsense Ce

Name of the Vulnerable Software and Affected Versions: Netgate pfSense CE versions prior to 2.8.0 beta release Netgate pfSense CE corresponding Plus builds versions prior to 2.8.0 beta release Description: The issue allows remote attackers to execute arbitrary JavaScript, delete backups, or leak...

CVE-2024-45516

Summary of CVE-2024-45516 (Zimbra Classic UI XSS) Affects Zimbra Collaboration (ZCS) versions: 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. The vulnerability arises from insufficient sanitization of HTML content in the Classic UI, specifically ma...

Mozilla Thunderbird < 128.10.1

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 128.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-34 advisory. - It was possible to craft an email that showed a tracking link as an attachment. If the user attempted...

Mozilla Thunderbird 安全漏洞

Mozilla Thunderbird is the United States Mozilla Foundation's set of independent from the Mozilla Application Suite e-mail client software. The program supports IMAP, POP mail protocols and HTML mail format. A cross-site scripting vulnerability exists in Mozilla Thunderbird, which stems from...

Mozilla Thunderbird < 138.0.1

The version of Thunderbird installed on the remote Windows host is prior to 138.0.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-35 advisory. - It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open th...

Mozilla Thunderbird < 128.10.1

The version of Thunderbird installed on the remote Windows host is prior to 128.10.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-34 advisory. - It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open t...

Cross-site Scripting (XSS)

org.graylog2:graylog2-server is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient input sanitization due to improper handling of uploaded files that allows execution of arbitrary JavaScript in the frontend when accessed via the API browser...

firefox: thunderbird: Use-after-free triggered by XSLTProcessor

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free...

Security Vulnerabilities fixed in Thunderbird 138.0.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

PT-2025-21187

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1 Description: The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which can be exploited to execute JavaScript in the file:/...

Security Vulnerabilities fixed in Thunderbird 128.10.1 — Mozilla

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name [email protected] [email protected]", Thunderbird treats [email protected] as the...

CVE-2025-40627

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40626

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40627 Reflected Cross-Site Scripting (XSS) in AbanteCart

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40626 Reflected Cross-Site Scripting (XSS) in AbanteCart

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-40626 Reflected Cross-Site Scripting (XSS) in AbanteCart

Reflected Cross-Site Scripting XSS vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform...

CVE-2025-3597

CVE-2025-3597 affects the Firelight Lightbox WordPress plugin for versions prior to 2.3.15. The vulnerability lets users with post-writing capabilities execute arbitrary Javascript when the jQuery Metadata library is enabled, a feature intended for Pro but which can be activated in the free versi...