CVE-2025-5986

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 128.11.1 Thunderbird versions prior to 139.0.2

Description A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content.

Recommendations For Thunderbird versions prior to 128.11.1, update to version 128.11.1 or later to resolve the issue. For Thunderbird versions prior to 139.0.2, update to version 139.0.2 or later to resolve the issue. As a temporary workaround, consider disabling HTML mode for email viewing until a patch is available. Restrict access to external content when viewing emails in HTML mode to minimize the risk of exploitation.