Mozilla Foundation Security Advisory 2026-63
Security Vulnerabilities fixed in Thunderbird 152.0.1
- Announced
- June 30, 2026
- Impact
- high
- Products
- Thunderbird
- Fixed in
-
- Thunderbird 152.0.1
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2026-57962: Denial-of-service via malicious LDAP address-book server
- Reporter
- Michael Bommarito
- Impact
- medium
Description
A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion.
References
#CVE-2026-57963: Chat UI manipulation by injection
- Reporter
- Michael Bommarito
- Impact
- high
Description
An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI.