CVE-2026-0818: Vulnerability in Mozilla Thunderbird
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.
AI Analysis
Technical Summary
This vulnerability occurs when Thunderbird decrypts an inline OpenPGP message embedded within an HTML and CSS styled email. The decrypted content is rendered in a context where the outer email's CSS styles remain active. If the user permits loading remote content referenced by the outer email, a malicious sender can craft CSS rules, fonts, and animations to exfiltrate the decrypted secret content. The flaw was addressed by Mozilla in Thunderbird versions 147.0.1 and 140.7.1, eliminating the CSS-based exfiltration vector.
Potential Impact
An attacker who sends a specially crafted email can potentially extract the decrypted contents of an inline OpenPGP message if the user explicitly decrypts it and allows remote content loading. This leads to confidentiality loss of the decrypted email content. The impact is limited to information disclosure and requires user interaction (explicit decryption and enabling remote content). There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in Thunderbird versions 147.0.1 and 140.7.1. Users should update to one of these versions or later to remediate the issue. Until updated, users should avoid allowing remote content loading in emails and be cautious when decrypting inline OpenPGP messages embedded in HTML/CSS formatted emails.
CVE-2026-0818: Vulnerability in Mozilla Thunderbird
Description
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability occurs when Thunderbird decrypts an inline OpenPGP message embedded within an HTML and CSS styled email. The decrypted content is rendered in a context where the outer email's CSS styles remain active. If the user permits loading remote content referenced by the outer email, a malicious sender can craft CSS rules, fonts, and animations to exfiltrate the decrypted secret content. The flaw was addressed by Mozilla in Thunderbird versions 147.0.1 and 140.7.1, eliminating the CSS-based exfiltration vector.
Potential Impact
An attacker who sends a specially crafted email can potentially extract the decrypted contents of an inline OpenPGP message if the user explicitly decrypts it and allows remote content loading. This leads to confidentiality loss of the decrypted email content. The impact is limited to information disclosure and requires user interaction (explicit decryption and enabling remote content). There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in Thunderbird versions 147.0.1 and 140.7.1. Users should update to one of these versions or later to remediate the issue. Until updated, users should avoid allowing remote content loading in emails and be cautious when decrypting inline OpenPGP messages embedded in HTML/CSS formatted emails.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mozilla
- Date Reserved
- 2026-01-09T16:32:39.712Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6979bfee4623b1157c9f66d3
Added to database: 1/28/2026, 7:51:10 AM
Last enriched: 4/14/2026, 11:57:17 AM
Last updated: 5/10/2026, 1:58:22 AM
Views: 221
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.