Description
Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.
Published: 2025-12-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing of download metadata in Firefox and Thunderbird
Action: Patch
AI Analysis

Impact

The flaw allows an attacker to alter the name or other display information of files shown in the Downloads Panel of Firefox and Thunderbird. The vulnerability is categorized as CWE‑290, indicating a trust issue where an untrusted source can override trusted UI elements. Because the Downloads Panel is visible to all users, an attacker could mislead a user into interacting with a malicious or incorrectly labeled file, potentially enabling social engineering or further exploitation.

Affected Systems

Mozilla Firefox releases prior to version 146 and the ESR 140.7 line, and Mozilla Thunderbird releases prior to version 146 and the ESR 140.7 line are affected. The vulnerability resides in the common Downloads Panel component used by both applications.

Risk and Exploitability

The CVSS score of 7.5 signals a moderate‑to‑high risk. The EPSS score of less than 1 % indicates that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation is known. The likely attack vector is inferred to involve a malicious website or email that delivers a download through the client, presenting spoofed metadata at remote or local level. Until the fix is applied, users should verify the authenticity of downloads, especially those from untrusted sources.

Generated by OpenCVE AI on April 20, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 146 or newer, or to the ESR 140.7 or later release to receive the fix.
  • Update Thunderbird to version 146 or newer, or to the ESR 140.7 or later release to receive the fix.
  • If an update cannot be applied immediately, temporarily use an alternative browser or email client that does not contain this vulnerability until the official patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7. Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, and Firefox ESR < 140.7. Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7.
References

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146 and Thunderbird < 146. Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, and Firefox ESR < 140.7.
References

Thu, 11 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
Weaknesses CWE-290
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Wed, 10 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146. Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146 and Thunderbird < 146.
References

Wed, 10 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 09 Dec 2025 13:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146.
Title Spoofing issue in the Downloads Panel component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:24:13.332Z

Reserved: 2025-12-09T13:38:01.463Z

Link: CVE-2025-14327

cve-icon Vulnrichment

Updated: 2025-12-11T20:43:09.255Z

cve-icon NVD

Status : Modified

Published: 2025-12-09T16:17:40.227

Modified: 2026-04-13T15:16:45.950

Link: CVE-2025-14327

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-09T13:38:02Z

Links: CVE-2025-14327 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses