Description
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.
Published: 2026-01-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via CSS-based Exfiltration
Action: Apply Patch
AI Analysis

Impact

When a user explicitly decrypts an inline OpenPGP message that is embedded within an HTML‑styled email, the decrypted content is rendered inside the same CSS context as the outer message. An attacker can craft CSS rules, custom fonts, and animations that expose the hidden plaintext or coerce the client to transmit it to a remote endpoint, enabling the confidential contents of the email to be exfiltrated. This flaw results in an information‑disclosure vulnerability.

Affected Systems

All versions of Mozilla Thunderbird before 147.0.1 and, for the ESR channel, before 140.7.1 are affected. The issue is present in builds that support OpenPGP decryption and HTML email rendering and is resolved in the referenced release numbers.

Risk and Exploitability

The exploit requires the user to both decrypt the message and have the remote content option enabled, making it a user‑interaction attack. The CVSS score of 4.3 reflects its moderate severity given these prerequisites. End users are unlikely to encounter widespread exploitation, and the EPSS score of less than 1% indicates a low likelihood of attack. The flaw is not listed in the KEV catalog, suggesting it has not yet been actively exploited at scale. Nevertheless, the vulnerability should be mitigated promptly to prevent potential information leaks.

Generated by OpenCVE AI on April 15, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to version 147.0.1 or newer, or Thunderbird ESR 140.7.1 or newer, which includes the patch for this vulnerability.
  • Configure Thunderbird to block remote content when viewing encrypted messages by disabling the 'Allow loading of remote content' setting in the account or global preferences.
  • Avoid automatically decrypting OpenPGP messages in emails that contain HTML content; instead decrypt manually after verifying the sender’s identity.

Generated by OpenCVE AI on April 15, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4466-1 thunderbird security update
Debian DSA Debian DSA DSA-6118-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1. When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability was fixed in Thunderbird 147.0.1 and Thunderbird 140.7.1.

Wed, 04 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
References

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 31 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description CSS-based exfiltration of the content from partially encrypted emails when allowing remote content. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1. When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1.

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla thunderbird

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
CWE-200
CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description CSS-based exfiltration of the content from partially encrypted emails when allowing remote content. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1.
Title CSS-based exfiltration of the content from partially encrypted emails when allowing remote content
References

Subscriptions

Mozilla Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:52:14.777Z

Reserved: 2026-01-09T16:32:39.712Z

Link: CVE-2026-0818

cve-icon Vulnrichment

Updated: 2026-02-04T09:14:40.545Z

cve-icon NVD

Status : Modified

Published: 2026-01-28T08:16:03.113

Modified: 2026-04-13T15:17:15.530

Link: CVE-2026-0818

cve-icon Redhat

Severity :

Publid Date: 2026-01-28T07:39:17Z

Links: CVE-2026-0818 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses