CVE-2025-8038: firefox: thunderbird: CSP frame-src was not correctly enforced for paths

Severity: Critical

CVSS Score: 9.8

Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.