ALSA-2025:8756

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

• thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link (CVE-2025-3909)
• thunderbird: Sender Spoofing via Malformed From Header in Thunderbird (CVE-2025-3875)
• thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links (CVE-2025-3877)
• thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking (CVE-2025-3932)
• firefox: thunderbird: Out-of-bounds access when resolving Promise objects (CVE-2025-4918)
• firefox: thunderbird: Out-of-bounds access when optimizing linear sums (CVE-2025-4919)
• firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details (CVE-2025-5267)
• firefox: thunderbird: Potential local code execution in ?Copy as cURL? command (CVE-2025-5264)
• firefox: thunderbird: Memory safety bugs (CVE-2025-5268)
• firefox: thunderbird: Script element events leaked cross-origin resource status (CVE-2025-5266)
• firefox: thunderbird: Error handling for script execution was incorrectly isolated from web content (CVE-2025-5263)
• firefox: thunderbird: Memory safety bug (CVE-2025-5269)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.