CVE-2026-57963 PUBLISHED

Chat UI manipulation by injection

Assigner: mozilla
Reserved: 26.06.2026 Published: 01.07.2026 Updated: 01.07.2026

An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Product Status

Vendor Mozilla
Product Thunderbird
Versions
  • unaffected from 140.12.1 to 140.* (incl.)
  • unaffected from 152.0.1 to * (incl.)

Credits

  • Michael Bommarito

References