vulnerability
Rocky Linux: CVE-2025-1015: thunderbird (RLSA-2025-1292)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Feb 4, 2025 | Feb 14, 2025 | Apr 15, 2026 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Feb 4, 2025
Added
Feb 14, 2025
Modified
Apr 15, 2026
Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Solutions
rocky-upgrade-thunderbirdrocky-upgrade-thunderbird-debuginforocky-upgrade-thunderbird-debugsource
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.