CLSA-2026-1779579653

See a problem?
Import Source
https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/almalinux9.2esu/CLSA-2026-1779579653.json
JSON Data
https://api.osv.dev/v1/vulns/CLSA-2026-1779579653
Upstream
Published
2026-05-25T07:35:52Z
Modified
2026-06-01T00:32:34.799905990Z
Summary
thunderbird: Fix of 4 CVEs
Details
  • CVE-2024-0742: assertion failure in nsPresContext::UserInputEventsAllowed (Document::SetIsInitialDocument sticky-bit)
  • CVE-2025-2830: path traversal via malformed attachment filename in multipart message (directory guard in MimePart._fetchAttachment + mimedrft.cpp)
  • CVE-2025-3909: predictable tempfile path enables JavaScript execution from attachment opened in file:/// context (per-PID tempdir, 0o700)
  • CVE-2025-3932: tracking links in attachments bypass remote-content blocking (scheme allowlist + FeedMsg http(s) carve-out in AttachmentInfo.isEmpty)
References

Affected packages

TuxCare:AlmaLinux:9.2 / thunderbird

Package

Name
thunderbird
Purl
pkg:rpm/tuxcare/thunderbird?distro=almalinux-9.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115.4.1-1.el9_2.alma.tuxcare.els3

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/almalinux9.2esu/CLSA-2026-1779579653.json"