CVE-2026-0818

EPSS 0.01%
Veröffentlicht 28.01.2026 07:39:17
Zuletzt bearbeitet 13.04.2026 15:17:15
Quelle security@mozilla.org
CVE-Watchlists
Login
Unerledigt
Login

CSS-based exfiltration of the content from partially encrypted emails when allowing remote content

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mozilla ≫ Thunderbird SwEditionesr Version < 140.7.1

Mozilla ≫ Thunderbird SwEdition- Version < 147.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.005

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://bugzilla.mozilla.org/show_bug.cgi?id=1881530

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2026-07/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-08/

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2026/02/msg00005.html

https://nvd.nist.gov/vuln/detail/CVE-2026-0818

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0818

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0818

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-0818