CVE-2025-8029
HIGHDescription
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Is your site exposed to CVE-2025-8029?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| mozilla | firefox |
| mozilla | firefox |
| mozilla | firefox |
| mozilla | thunderbird |
| mozilla | thunderbird |
| mozilla | thunderbird |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-8029? +
How severe is CVE-2025-8029? +
What products are affected by CVE-2025-8029? +
How do I check if I'm vulnerable to CVE-2025-8029? +
Related Vulnerabilities
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover …
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen …
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a …
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by …
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting …
It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. …