CVE-2026-0818
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | thunderbird | to 140.7.1 (exc) |
| mozilla | thunderbird | to 147.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves CSS-based exfiltration of content from partially encrypted emails when remote content is allowed. It affects certain versions of Thunderbird before 147.0.1 and 140.7.1, allowing an attacker to potentially extract email content through CSS techniques.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Thunderbird to version 147.0.1 or later, or 140.7.1 or later, to ensure the vulnerability is patched. Additionally, avoid allowing remote content in emails to prevent CSS-based exfiltration.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of partially encrypted email content, potentially exposing sensitive information to attackers without user permission.