Description
XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Published: 2025-07-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Content Security Policy Bypass
Action: Patch
AI Analysis

Impact

The flaw originates from the handling of XSLT documents, where the source document is not properly propagated, allowing the content to circumvent the application's Content Security Policy. This is a protection mechanism failure (CWE‑693). An attacker could supply a crafted XSLT file that would run privileged actions or inject malicious scripts, effectively breaking the controls provided by CSP.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird, affecting all releases prior to Firefox 141, Thunderbird 141, and all versions older than the ESR 128.13 and ESR 140.1 fixed releases of both browsers.

Risk and Exploitability

The CVSS score of 8.1 indicates a medium‑high severity vulnerability. An EPSS score of less than 1 % shows a low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Likely attack vectors involve an attacker delivering a malicious XSLT document via a web page or email attachment, which would bypass CSP enforcement. No public exploit is known, but the potential impact remains significant.

Generated by OpenCVE AI on April 20, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 141 or newer, including ESR 128.13 and ESR 140.1 for extended support releases.
  • Upgrade Mozilla Thunderbird to version 141 or newer, including ESR 128.13 and ESR 140.1 for extended support releases.
  • Apply any additional patches or updates released by Mozilla for related security issues until the latest available version is reached.

Generated by OpenCVE AI on April 20, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4250-1 firefox-esr security update
Debian DLA Debian DLA DLA-4253-1 thunderbird security update
Debian DSA Debian DSA DSA-5964-1 firefox-esr security update
Debian DSA Debian DSA DSA-5966-1 thunderbird security update
EUVD EUVD EUVD-2025-22365 XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: XSLT documents could bypass CSP XSLT documents could bypass CSP

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: XSLT documents could bypass CSP
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 28 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 23 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
Description XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:59.396Z

Reserved: 2025-07-22T10:13:57.272Z

Link: CVE-2025-8032

cve-icon Vulnrichment

Updated: 2025-11-03T20:07:51.008Z

cve-icon NVD

Status : Modified

Published: 2025-07-22T21:15:50.360

Modified: 2026-04-13T15:17:09.650

Link: CVE-2025-8032

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-22T20:49:26Z

Links: CVE-2025-8032 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses