Mozilla
Thunderbird
See the latest tracked release, confirm when it was published, and subscribe for update emails.
151.0.1
- Release date
- May 26, 2026
- Security status
- 25 high-severity CVEs tracked in the last 90 days. Current version not affected.
Source
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 151.0.1 | 2026-05-26 | Release Notes |
| 151.0 | 2026-05-19 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-8975 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8974 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8973 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8972 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8970 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8969 | HIGH (8.1) | 2026-05-19 | Current versionnot affected | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8968 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8967 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8966 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8965 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8964 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8963 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8962 | HIGH (8.1) | 2026-05-19 | Current versionnot affected | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8960 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8959 | CRITICAL (9.6) | 2026-05-19 | Current versionnot affected | Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8958 | HIGH (8.6) | 2026-05-19 | Current versionnot affected | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8957 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8956 | CRITICAL (9.8) | 2026-05-19 | Current versionnot affected | Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8955 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8954 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8953 | CRITICAL (9.6) | 2026-05-19 | Current versionnot affected | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8952 | HIGH (8.8) | 2026-05-19 | Current versionnot affected | Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|
| CVE-2026-8950 | CRITICAL (9.3) | 2026-05-19 | Current versionnot affected | Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8949 | HIGH (7.5) | 2026-05-19 | Current versionnot affected | Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Affected versions
|
| CVE-2026-8948 | CRITICAL (9.1) | 2026-05-19 | Current versionnot affected | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Affected versions
|