A crafted HTML email that includes mailbox:/// links can cause Thunderbird to automatically download PDF files to the user’s desktop or home directory without prompting, even when auto‑saving is disabled. Because the download is triggered when the user opens the email in HTML mode, visual obfuscation can hide the trigger and allow an attacker to fill the victim’s disk with arbitrary data or, on Windows, leak credentials through SMB links. The attacker must still obtain a user’s attention to view the email, but once viewed, the automatic download delivers the storage‑exhaustion or credential‑exfiltration effect. This flaw is identified as a loss of confidentiality through credential exposure and loss of integrity through unauthorized data placement, classified under CWE‑400 and CWE‑451.

Mozilla Thunderbird is the only publicly listed affected product. All Thunderbird releases prior to 128.11.1 on Linux and prior to 139.0.2 on other platforms are vulnerable. Red Hat Enterprise Linux systems running Thunderbird older than those patches may also be impacted, though the anomaly chiefly relates to the Thunderbird client itself. The CVE references indicate that the issue also appears in Debian LTS announcements, suggesting that base distributions adopting Thunderbird versions before the fixed releases can be at risk.

The CVSS score of 6.5 indicates medium severity, with an EPSS of less than 1% implying a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been observed as a widely exploited vector. Attackers can exploit it by phishing with malicious HTML emails that, when opened, cause Thunderbird to silently download large or random data, exhausting disk space, or to resolve SMB links that expose credentials. While user interaction is required to view the email, visual obfuscation can reduce detection, making this a realistic social‑engineering attack in environments with lenient email parsing settings.