A vulnerability, which was classified as problematic, has been found in Mozilla Thunderbird up to 128.10.0/138.0.0. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Mozilla-External-Attachment-URL leads to cross site scripting.
The identification of this vulnerability is CVE-2025-3909. The attack may be initiated remotely. There is no exploit available.
It is recommended to upgrade the affected component.