CVE-2026-0818

EPSS 0.02%
Veröffentlicht 28.01.2026 07:39:17
Zuletzt bearbeitet 04.02.2026 10:16:04
Quelle security@mozilla.org
CVE-Watchlists
Login
Unerledigt
Login

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mozilla ≫ Thunderbird SwEditionesr Version < 140.7.1

Mozilla ≫ Thunderbird SwEdition- Version < 147.0.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.031

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://bugzilla.mozilla.org/show_bug.cgi?id=1881530

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2026-07/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-08/

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2026/02/msg00005.html

https://nvd.nist.gov/vuln/detail/CVE-2026-0818

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0818

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0818

EUVD