Description
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Published: 2025-07-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript Execution
Action: Immediate Patch
AI Analysis

Impact

Thunderbird and Firefox execute `javascript:` URLs specified within `object` and `embed` tags, permitting an attacker to run arbitrary JavaScript code when the user opens a malicious email or web page. The flaw is a cross‑site scripting vulnerability (CWE‑80) that can lead to data theft, credential compromise, or further malware delivery.

Affected Systems

This issue affects Mozilla Firefox version 141 and earlier, Firefox ESR 128.13 and ESR 140.1, as well as Mozilla Thunderbird 141 and earlier, Thunderbird ESR 128.13 and ESR 140.1. Red Hat Enterprise Linux 8, 9, and 10 packages that include these browsers are also potentially impacted until they apply the corresponding updates.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. It is not listed in the CISA KEV catalog. Attackers can exploit the bug by embedding a `javascript:` URL in an `object` or `embed` tag within an email or web page; when a user opens it, the browser executes the script with the privileges of the user. This client‑side attack does not require additional network access or special user privileges beyond normal usage of the affected applications.

Generated by OpenCVE AI on April 20, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 141 or newer, or to Firefox ESR 128.13/140.1.
  • Upgrade Thunderbird to version 141 or newer, or to Thunderbird ESR 128.13/140.1.
  • Determine if the installed packages come from Red Hat Enterprise Linux 8, 9, or 10; if so, install the vendor’s security update that contains the fixed browser version.
  • If an immediate update is not possible, block execution of `javascript:` URLs in `object` and `embed` tags by applying a content‑security‑policy or using a browser extension that enforces the restriction.

Generated by OpenCVE AI on April 20, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4250-1 firefox-esr security update
Debian DLA Debian DLA DLA-4253-1 thunderbird security update
Debian DSA Debian DSA DSA-5964-1 firefox-esr security update
Debian DSA Debian DSA DSA-5966-1 thunderbird security update
EUVD EUVD EUVD-2025-22370 Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: javascript: URLs executed on object and embed tags javascript: URLs executed on object and embed tags

Tue, 09 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description Firefox executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

Wed, 30 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
Description Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. Firefox executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: javascript: URLs executed on object and embed tags
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 28 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 23 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-80
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
Description Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:50.157Z

Reserved: 2025-07-22T10:13:51.239Z

Link: CVE-2025-8029

cve-icon Vulnrichment

Updated: 2025-11-03T20:07:46.877Z

cve-icon NVD

Status : Modified

Published: 2025-07-22T21:15:50.057

Modified: 2026-04-13T15:17:08.957

Link: CVE-2025-8029

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-22T20:49:24Z

Links: CVE-2025-8029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses