vulnerability
MFSA2026-08 Thunderbird: Security Vulnerabilities fixed in Thunderbird 140.7.1 (CVE-2026-0818)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:P/I:N/A:N) | Jan 27, 2026 | Jan 29, 2026 | Feb 2, 2026 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
Jan 27, 2026
Added
Jan 29, 2026
Modified
Feb 2, 2026
Description
When a user explicitly requested Thunderbird to decrypt an inline
OpenPGP message that was embedded in a text section of an email
that was formatted and styled with HTML and CSS, then the
decrypted contents were rendered in a context in which the CSS
styles from the outer messages were active. If the user had
additionally allowed loading of the remote content referenced by
the outer email message, and the email was crafted by the sender
using a combination of CSS rules and fonts and animations, then
it was possible to extract the secret contents of the email.
Solution
mozilla-thunderbird-upgrade-140_7_1
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.