An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Project Subscriptions

Vendors Products
Mozilla Subscribe
Thunderbird Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla thunderbird

Wed, 01 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 01 Jul 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Description An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
Title Chat UI manipulation by injection
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-07-01T00:58:33.922Z

Reserved: 2026-06-26T15:27:32.832Z

Link: CVE-2026-57963

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T11:15:15Z

Weaknesses

No weakness.