UBUNTU-CVE-2026-57963

Source
https://ubuntu.com/security/CVE-2026-57963
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57963.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-57963
Upstream
  • CVE-2026-57963
Published
2026-07-01T02:17:00Z
Modified
2026-07-02T18:03:23.042804311Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

References

Affected packages

Ubuntu:22.04:LTS / thunderbird

Package

Name
thunderbird
Purl
pkg:deb/ubuntu/thunderbird?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:91.*
1:91.1.2+build1-0ubuntu1
1:91.3.0+build2-0ubuntu1
1:91.3.1+build1-0ubuntu1
1:91.3.2+build1-0ubuntu1
1:91.4.0+build1.1-0ubuntu1
1:91.4.0+build2-0ubuntu1
1:91.5.0+build1-0ubuntu1
1:91.5.1+build1-0ubuntu1
1:91.6.1+build1-0ubuntu1
1:91.7.0+build1-0ubuntu1
1:91.7.0+build2-0ubuntu1
1:91.8.0+build2-0ubuntu1
1:91.9.1+build1-0ubuntu0.22.04.1
1:91.11.0+build2-0ubuntu0.22.04.1
1:102.*
1:102.2.2+build1-0ubuntu0.22.04.1
1:102.4.2+build2-0ubuntu0.22.04.1
1:102.7.1+build2-0ubuntu0.22.04.1
1:102.8.0+build2-0ubuntu0.22.04.1
1:102.9.0+build1-0ubuntu0.22.04.1
1:102.10.0+build2-0ubuntu0.22.04.1
1:102.11.0+build1-0ubuntu0.22.04.1
1:102.13.0+build1-0ubuntu0.22.04.1
1:102.15.0+build1-0ubuntu0.22.04.1
1:102.15.1+build1-0ubuntu0.22.04.1
1:115.*
1:115.3.1+build1-0ubuntu0.22.04.2
1:115.4.1+build1-0ubuntu0.22.04.1
1:115.5.0+build1-0ubuntu0.22.04.1
1:115.6.0+build2-0ubuntu0.22.04.1
1:115.8.1+build1-0ubuntu0.22.04.1
1:115.9.0+build1-0ubuntu0.22.04.1
1:115.10.1+build1-0ubuntu0.22.04.1
1:115.11.0+build2-0ubuntu0.22.04.1
1:115.12.0+build3-0ubuntu0.22.04.1
1:115.13.0+build5-0ubuntu0.22.04.1
1:115.15.0+build1-0ubuntu0.22.04.1
1:115.16.0+build2-0ubuntu0.22.04.1
1:115.18.0+build1-0ubuntu0.22.04.1
1:128.*
1:128.12.0+build1-0ubuntu0.22.04.1
1:140.*
1:140.7.1+build1-0ubuntu0.22.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "thunderbird",
            "binary_version": "1:140.7.1+build1-0ubuntu0.22.04.1"
        },
        {
            "binary_name": "thunderbird-gnome-support",
            "binary_version": "1:140.7.1+build1-0ubuntu0.22.04.1"
        },
        {
            "binary_name": "thunderbird-mozsymbols",
            "binary_version": "1:140.7.1+build1-0ubuntu0.22.04.1"
        },
        {
            "binary_name": "xul-ext-calendar-timezones",
            "binary_version": "1:140.7.1+build1-0ubuntu0.22.04.1"
        },
        {
            "binary_name": "xul-ext-gdata-provider",
            "binary_version": "1:140.7.1+build1-0ubuntu0.22.04.1"
        },
        {
            "binary_name": "xul-ext-lightning",
            "binary_version": "1:140.7.1+build1-0ubuntu0.22.04.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57963.json"

Ubuntu:24.04:LTS / thunderbird

Package

Name
thunderbird
Purl
pkg:deb/ubuntu/thunderbird?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:115.*
1:115.3.1+build1-0ubuntu1
1:115.4.1+build1-0ubuntu1
1:115.4.3+build1-0ubuntu1
1:115.5.0+build1-0ubuntu1
1:115.5.1+build1-0ubuntu1
1:115.5.2+build2-0ubuntu1
1:115.6.0+build1-0ubuntu1
1:115.6.0+build2-0ubuntu1
1:115.6.1+build1-0ubuntu1
1:115.8.0+build1-0ubuntu1
1:115.8.1+build1+snap2
1:115.8.1+build1+snap3
Other
2:1snap1-0ubuntu1
2:1snap1-0ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "thunderbird",
            "binary_version": "2:1snap1-0ubuntu3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57963.json"

Ubuntu:25.10 / thunderbird

Package

Name
thunderbird
Purl
pkg:deb/ubuntu/thunderbird?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

Other
2:1snap1-0ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "thunderbird",
            "binary_version": "2:1snap1-0ubuntu3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57963.json"

Ubuntu:26.04:LTS / thunderbird

Package

Name
thunderbird
Purl
pkg:deb/ubuntu/thunderbird?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

Other
2:1snap1-0ubuntu3
2:1snap1-0ubuntu4
2:1snap1-0ubuntu5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "thunderbird",
            "binary_version": "2:1snap1-0ubuntu5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-57963.json"