Multiple critical vulnerabilities in Thunderbird (CVE-2026-5731, CVE-2026-5732, CVE-2026-5734), including issues with CVSS scores up to 9.8, could result in arbitrary code execution. Affected versions include Mozilla Thunderbird earlier than 140.9.1 and earlier than 149.0.2. The fixed versions are Thunderbird 140.9.1 and 149.0.2.
[SECURITY] [DSA 6211-1] thunderbird security update To : debian-security-announce@lists.debian.org Subject : [SECURITY] [DSA 6211-1] thunderbird security update From : Moritz Muehlenhoff < jmm@debian.org > Date : Tue, 14 Apr 2026 20:43:51 +0000 Message-id : < [🔎] ad6nB6GzahIdR1Xv@seger.debian.org > Reply-to : debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6211-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 14, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2026-5731 CVE-2026-5732 CVE-2026-5734 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. For the oldstable distribution (bookworm), these problems have been fixed in version 1:140.9.1esr-1~deb12u1. For the stable distribution (trixie), these problems have been fixed in version 1:140.9.1esr-1~deb13u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmnepSUACgkQEMKTtsN8 Tja5EhAAidzbL1avRZqbProByJTPXlWJYigCmlxjCLaLoMLi4ih5QuojLSoDs2Jd ug1QqSVHrnO5rvgqdc9HT3YBefnOK4rlH7YVVVG3wQZsJ6W7KAVUZc8kDNNVOx5Q RBo9NC7a0vB/XzPV+r88m0xTnxnhBqxlWZ0nBWS7UAWvKEwOpcyyVC4dgl9zTX1V yLIJXVX/cAkDd0mC1xWyFwzF5fyH+DA8xnC2/j1Zmhmad4eqq9YMnqh3ath+X4So jm5KY0N8WpZL3hZojtyWVzHGM2fLgSLUG4t5qy2R3qBeVR78o15zQxpEi5lopjOu szp3VrW3ZaVvnSo9IGI5lVo5cISWzGweQ0QfMSDAxt93cgK7VU2pRxsKMKpHS4VF ICUPZThBwzZa00HfZhZDZErmsdAgRjcntyhQzwBl6lYaQ5HH4UQhY8NglHh2kF7G tfQH4iSQjMDdJ+AaX59LUNs6df6OA7QurYccJHIk7awn88YP4QDkit06b7kjd2ba 8MJESS6NyG+ScuzKssOghn6u5r/E9bXM3KVWkyevcqxPUZwJuW16XobY0kf1//TG rJPIigPqzjzWoB43TB/OHIxKNgH2cug6728Dm7i1gm/Ng8lhx35UaYCGQX7BHRVN zwawitK2ZVGJXATIn9WTT8RiVq01yDBt15MyLY+oziM9Hezs4wU= =2cvG -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6210-1] imagemagick security update Previous by thread: [SECURITY] [DSA 6210-1] imagemagick security update Index(es): Date Thread