CVE-2026-0818

MEDIUM 4.3

CSS-based exfiltration of the content from partially encrypted emails when allowing remote content

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.

Vendor	mozilla
Product	thunderbird
Ecosystems	Browser JavaScript
Industries	Technology
Published	Jan 28, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for mozilla thunderbird

Be the first to know when new medium vulnerabilities affecting mozilla thunderbird are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Mozilla / Thunderbird

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

bugzilla.mozilla.org: https://bugzilla.mozilla.org/show_bug.cgi?id=1881530 mozilla.org: https://www.mozilla.org/security/advisories/mfsa2026-07/ mozilla.org: https://www.mozilla.org/security/advisories/mfsa2026-08/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2026/02/msg00005.html

Credits

Leon Trampert, Daniel Weber, Christian Rossow, Michael Schwarz