Arbitrary Content Injection in Thunderbird Chat Features
CVE-2026-57963

Currently unrated

Key Information:

Vendor

Mozilla

Vendor
CVE Published:
1 July 2026

What is CVE-2026-57963?

A vulnerability in Thunderbird allows attackers to exploit chat message functionalities via Matrix and XMPP protocols. By sending specially crafted HTML messages, malicious users can inject styled content, including harmful phishing links and CSS that alters the chat user interface. The issue has been addressed in Thunderbird versions 152.0.1 and 140.12.1, making updates essential to protect against potential exploitation.

Affected Version(s)

Thunderbird 140.12.1

Thunderbird 152.0.1

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Bommarito
.