{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3889", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-10T16:23:43.463Z", "datePublished": "2026-03-24T20:27:14.437Z", "dateUpdated": "2026-04-13T13:51:23.615Z"}, "containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.9", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "149", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9."}]}], "title": "Spoofing issue in Thunderbird", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020723"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "credits": [{"lang": "en", "value": "Eemeli Aro"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:23.615Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:05:32.416050Z", "id": "CVE-2026-3889", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:49:11.375Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:05:32.416050Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:06:45.482Z"}}], "cna": {"title": "Spoofing issue in Thunderbird", "credits": [{"lang": "en", "value": "Eemeli Aro"}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.9", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "149", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020723"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:23.615Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3889", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:51:23.615Z", "dateReserved": "2026-03-10T16:23:43.463Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-24T20:27:14.437Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "4C0558B1-4113-45A8-8E37-A0793A67AD6D", "versionEndExcluding": "140.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "40FE4697-89F1-46F6-8E28-41883647583B", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9."}, {"lang": "es", "value": "Problema de suplantaci\u00f3n en Thunderbird. Esta vulnerabilidad afecta a Thunderbird < 149 y Thunderbird < 140.9."}], "id": "CVE-2026-3889", "lastModified": "2026-04-13T15:17:35.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T21:16:29.330", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020723"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Thunderbird: Thunderbird: Spoofing vulnerability", "id": "2451006", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451006"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["A spoofing flaw has been found in Thunderbird."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3889", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T20:27:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3889\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3889\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=2020723\nhttps://www.mozilla.org/security/advisories/mfsa2026-23/\nhttps://www.mozilla.org/security/advisories/mfsa2026-24/"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Thunderbird", "source": "cna", "vendor": "Mozilla"}, "product": "thunderbird", "vendor": "mozilla"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,140.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Thunderbird", "source": "cna", "vendor": "Mozilla"}, "product": "thunderbird", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-13T16:10:06.866604+00:00", "value": {"mitigation_remediation": ["Upgrade Thunderbird to version 149 on the main channel or to version 140.9 on the ESR channel."], "summary": {"action": "Patch Now", "impact": "Impersonation via email spoofing"}, "threat_synthesis": {"affected_systems": "All users running Thunderbird versions earlier than 149 on the main release channel or earlier than 140.9 on the Extended Support Release channel are affected. The CPE entries cover both the standard and ESR builds across all supported platforms, indicating that every installation that has not applied the security update is vulnerable. ", "description_and_impact": "The vulnerability is an input validation defect that allows an attacker to spoof critical information displayed by Thunderbird, such as the sender address or message details. This can lead to social engineering, where the user believes they are interacting with a legitimate contact. The weakness is classified as CWE\u201120 (Improper Input Validation) and CWE\u2011451 (Information Exposure via Misleading Information). No zero\u2011day exploit has been reported, and the advisory is based on a fix to the display logic. ", "risk_and_exploitability": "The CVSS base score of 6.5 places the vulnerability in the moderate range, while the EPSS probability of less than 1% suggests a low likelihood of exploitation. It is not listed in CISA\u2019s KEV catalog. The most likely exploitation method is the delivery of a crafted message containing deceptive sender information; the attacker does not need privileged access to the system, only the ability to send an email that Thunderbird will display. Nonetheless, exploitation requires the message to reach the client. "}}}}, "created": "2026-03-25T11:45:54.291935+00:00", "updated": "2026-04-14T16:42:43.080909+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$thunderbird"]}