Mozilla Thunderbird vulnerabilities: known CVEs & security history
Mozilla · Email client · 1745 tracked CVEs · 14 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Mozilla Thunderbird release lines — 1745 in total, with 14 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Mozilla Thunderbird's current status and the safe version to run.
Known Mozilla Thunderbird CVEs
Actively-exploited and most-severe first. Showing the top 80 of 1745. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2019-11708⚡ exploited | critical | 10 | 56% | 2019 |
| CVE-2024-9680⚡ exploited | critical | 9.8 | 33% | 2024 |
| CVE-2010-3765⚡ exploited | critical | 9.8 | 83% | 2010 |
| CVE-2022-26486⚡ exploited | critical | 9.6 | 2% | 2022 |
| CVE-2023-5217⚡ exploited | high | 8.8 | 34% | 2023 |
| CVE-2023-4863⚡ exploited | high | 8.8 | 100% | 2023 |
| CVE-2022-26485⚡ exploited | high | 8.8 | 14% | 2022 |
| CVE-2019-17026⚡ exploited | high | 8.8 | 47% | 2020 |
| CVE-2019-11707⚡ exploited | high | 8.8 | 38% | 2019 |
| CVE-2013-1690⚡ exploited | high | 8.8 | 69% | 2013 |
| CVE-2020-6820⚡ exploited | high | 8.1 | 6% | 2020 |
| CVE-2020-6819⚡ exploited | high | 8.1 | 3% | 2020 |
| CVE-2016-9079⚡ exploited | high | 7.5 | 88% | 2018 |
| CVE-2013-1675⚡ exploited | medium | 6.5 | 7% | 2013 |
| CVE-2026-4692 | critical | 10 | 0% | 2026 |
| CVE-2026-4689 | critical | 10 | 1% | 2026 |
| CVE-2026-2778 | critical | 10 | 0% | 2026 |
| CVE-2026-2776 | critical | 10 | 0% | 2026 |
| CVE-2026-2768 | critical | 10 | 0% | 2026 |
| CVE-2026-2761 | critical | 10 | 0% | 2026 |
| CVE-2026-2760 | critical | 10 | 0% | 2026 |
| CVE-2026-0881 | critical | 10 | 0% | 2026 |
| CVE-2021-4140 | critical | 10 | 1% | 2022 |
| CVE-2021-38503 | critical | 10 | 4% | 2021 |
| CVE-2018-18505 | critical | 10 | 5% | 2019 |
| CVE-2026-8956 | critical | 9.8 | 1% | 2026 |
| CVE-2026-8094 | critical | 9.8 | 0% | 2026 |
| CVE-2026-8091 | critical | 9.8 | 0% | 2026 |
| CVE-2026-6771 | critical | 9.8 | 0% | 2026 |
| CVE-2026-6768 | critical | 9.8 | 0% | 2026 |
| CVE-2026-6760 | critical | 9.8 | 0% | 2026 |
| CVE-2026-6748 | critical | 9.8 | 0% | 2026 |
| CVE-2026-5735 | critical | 9.8 | 0% | 2026 |
| CVE-2026-5734 | critical | 9.8 | 0% | 2026 |
| CVE-2026-5731 | critical | 9.8 | 0% | 2026 |
| CVE-2026-4729 | critical | 9.8 | 0% | 2026 |
| CVE-2026-4721 | critical | 9.8 | 0% | 2026 |
| CVE-2026-4720 | critical | 9.8 | 0% | 2026 |
| CVE-2026-4710 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2807 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2805 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2800 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2799 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2797 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2796 | critical | 9.8 | 1% | 2026 |
| CVE-2026-2795 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2793 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2792 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2791 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2790 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2789 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2788 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2787 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2786 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2785 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2784 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2782 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2781 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2780 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2779 | critical | 9.8 | 1% | 2026 |
| CVE-2026-2777 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2775 | critical | 9.8 | 1% | 2026 |
| CVE-2026-2774 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2773 | critical | 9.8 | 1% | 2026 |
| CVE-2026-2772 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2771 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2770 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2767 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2766 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2765 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2764 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2763 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2762 | critical | 9.8 | 1% | 2026 |
| CVE-2026-2759 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2758 | critical | 9.8 | 0% | 2026 |
| CVE-2026-2757 | critical | 9.8 | 1% | 2026 |
| CVE-2026-0892 | critical | 9.8 | 0% | 2026 |
| CVE-2026-0884 | critical | 9.8 | 0% | 2026 |
| CVE-2026-0879 | critical | 9.8 | 1% | 2026 |
| CVE-2025-14330 | critical | 9.8 | 0% | 2025 |
1665 older / lower-severity CVEs not shown — see Mozilla Thunderbird's full record.
Is my Mozilla Thunderbird version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Mozilla Thunderbird version → · Monitor Mozilla Thunderbird for new CVEs →
Mozilla Thunderbird vulnerabilities — frequently asked
How many known vulnerabilities does Mozilla Thunderbird have?
IsItPatched tracks 1745 CVEs for Mozilla Thunderbird, 14 of which are actively exploited (CISA KEV). 266 are critical-severity and 848 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Mozilla Thunderbird have any actively-exploited vulnerabilities?
Yes — 14 Mozilla Thunderbird CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild (1 linked to ransomware). Patch these as a priority.
What is the most severe Mozilla Thunderbird vulnerability?
Among tracked issues, CVE-2019-11708 (CRITICAL, CVSS 10), which is actively exploited, ranks highest — a Improper input validation weakness.
Is Mozilla Thunderbird safe to use?
It depends on the version. The latest supported Mozilla Thunderbird release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Mozilla Thunderbird security status · Mozilla Thunderbird end-of-life · actively-exploited CVEs. Always verify against Mozilla's advisories — see our disclaimer.