CVE-2026-3889

Advisory lineage Upstream: 0 Downstream: 19

Downstream

DEBIAN-CVE-2026-3889 DLA-4511-1 DSA-6179-1 MGASA-2026-0081 OPENSUSE-SU-2026:10447-1 RHSA-2026:6188

Modified

Published: 24 Mar 2026, 20:27

Last modified:13 Apr 2026, 13:51

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.03% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

24 Mar 2026, 20:27

Published

Vulnerability first disclosed

13 Apr 2026, 13:51

Last Modified

Vulnerability information updated

Description

Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.03%• Percentile: 10%

Techniques & Countermeasures

CWE-451•User Interface (UI) Misrepresentation of Critical Information
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

Affected Systems

mozilla•thunderbird
≥ unspecified, < 149 | ≥ unspecified, < 140.9 | < 140.9.0 | < 149.0