Vulnerability Description
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | < 140.7.1 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1881530Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2026-07/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2026-08/Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2026/02/msg00005.html
FAQ
What is CVE-2026-0818?
CVE-2026-0818 is a vulnerability with a CVSS score of 4.3 (MEDIUM). When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted co...
How severe is CVE-2026-0818?
CVE-2026-0818 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-0818?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird.