The vulnerability is an input validation defect that allows an attacker to spoof critical information displayed by Thunderbird, such as the sender address or message details. This can lead to social engineering, where the user believes they are interacting with a legitimate contact. The weakness is classified as CWE‑20 (Improper Input Validation) and CWE‑451 (Information Exposure via Misleading Information). No zero‑day exploit has been reported, and the advisory is based on a fix to the display logic.

All users running Thunderbird versions earlier than 149 on the main release channel or earlier than 140.9 on the Extended Support Release channel are affected. The CPE entries cover both the standard and ESR builds across all supported platforms, indicating that every installation that has not applied the security update is vulnerable.

The CVSS base score of 6.5 places the vulnerability in the moderate range, while the EPSS probability of less than 1% suggests a low likelihood of exploitation. It is not listed in CISA’s KEV catalog. The most likely exploitation method is the delivery of a crafted message containing deceptive sender information; the attacker does not need privileged access to the system, only the ability to send an email that Thunderbird will display. Nonetheless, exploitation requires the message to reach the client.