Impact
The vulnerability arises because Thunderbird Address Book URI fields are not sanitized, allowing an attacker to embed malicious links in an address book, such as in the "Other" field of the Instant Messaging section. If a user imports such an address book and clicks the link, Thunderbird will open a web page within the client that can execute unprivileged JavaScript. This reflects weaknesses related to CWE-79 (Cross‑Site Scripting) and CWE-601 (Open Redirect).
Affected Systems
All users of Mozilla Thunderbird running versions prior to 128.7 and 135 are affected. The vulnerability is not tied to a specific operating system, but the associated CPEs include various Red Hat Enterprise Linux releases that may host Thunderbird. Any installation that imports address books from untrusted sources can be impacted.
Risk and Exploitability
The CVSS score of 5.4 signals moderate severity; the EPSS score of 1% indicates that attackers are not likely to target this flaw in the near future. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to import a crafted address book and click a malicious link, which relies on user interaction to trigger the embedded JavaScript inside Thunderbird.
OpenCVE Enrichment
Debian DSA
Ubuntu USN