CVE-2025-3523
low-risk
Published 2025-04-15
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Do I need to act?
-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.4/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (3)
Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1958385
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-26/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-27/
26
/ 100
low-risk
Severity
20/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal