CVE-2026-0818

CVE-2026-0818 is a medium-severity vulnerability in Mozilla Thunderbird with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-116.

Key facts

Description

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.

Frequently asked questions

What is CVE-2026-0818?
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.
How severe is CVE-2026-0818?
CVE-2026-0818 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-0818 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-0818?
CVE-2026-0818 primarily affects Mozilla Thunderbird. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-0818?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-0818 have an EU (EUVD) identifier?
Yes. CVE-2026-0818 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4880.
When was CVE-2026-0818 published?
CVE-2026-0818 was published on 2026-01-28 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Mozilla Thunderbird

All CVEs affecting Mozilla Thunderbird →

Other CWE-116 vulnerabilities

Browse all CWE-116 vulnerabilities →