{"id":"CVE-2025-8036","details":"Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox \u003c 141, Firefox ESR \u003c 140.1, Thunderbird \u003c 141, and Thunderbird \u003c 140.1.","modified":"2026-05-04T08:42:27.121241Z","published":"2025-07-22T21:15:50.760Z","withdrawn":"2026-05-04T08:42:27.121241Z","related":["SUSE-SU-2025:02529-1","SUSE-SU-2025:02531-1","SUSE-SU-2025:02546-1","openSUSE-SU-2025:15371-1","openSUSE-SU-2025:15383-1","openSUSE-SU-2025:15386-1"],"references":[{"type":"WEB","url":"https://www.kb.cert.org/vuls/id/652514"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2025-56/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2025-59/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2025-61/"},{"type":"ADVISORY","url":"https://www.mozilla.org/security/advisories/mfsa2025-63/"},{"type":"REPORT","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1960834"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"140.1.0"}]},{"events":[{"introduced":"0"},{"fixed":"141.0"}]},{"events":[{"introduced":"0"},{"fixed":"140.1.0"}]},{"events":[{"introduced":"0"},{"fixed":"141.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8036.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}