CVE-2026-0818
thunderbird - security update
4.3
MEDIUM
CVSS 3.1
EPSS 0.01%
描述
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.
如何修補 CVE-2026-0818
要修補 CVE-2026-0818,請將受影響套件升級到下列已修補版本。
- —升級至 1:140.7.1esr-1~deb11u1 或更新版本
- —升級至 1:140.7.1esr-1~deb11u1 或更新版本
- —升級至 1:140.7.1esr-1~deb12u1 或更新版本
CVE-2026-0818 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- from 0, < 1:140.7.1esr-1~deb11u1
- from 0, < 1:140.7.1esr-1~deb11u1
- from 0, < 1:140.7.1esr-1~deb12u1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |