Description
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

An information disclosure vulnerability exists in the Form Autofill component of Mozilla Firefox. By exploiting this flaw, an attacker can read sensitive data entered into web forms, such as usernames, passwords, or personal details, that is normally protected from external view. The flaw is categorized as a type of information exposure (CWE-359) and can compromise confidentiality of user credentials and personal data.

Affected Systems

Mozilla Firefox versions prior to 150 and the Firefox ESR release 140.10, and Mozilla Thunderbird versions prior to 150 and Thunderbird ESR 140.10, are affected. The issue was resolved in Firefox 150 and ESR 140.10, and in Thunderbird 150 and ESR 140.10, so any installation of earlier builds may be at risk. The vulnerability applies to all platforms where the Form Autofill feature is available, including Windows, macOS, Linux, and mobile variants.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is unavailable, but the vulnerability is listed as not in the CISA KEV catalog. Because the exploit requires the ability to trigger form autofill for a target user, the attack vector is likely local or requires user interaction; a purely remote attack is not indicated. Nevertheless, the potential for leaking personal or authentication data makes the flaw significant, especially in environments where forms contain sensitive information.

Generated by OpenCVE AI on April 22, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mozilla Firefox 150 or later, or to Firefox ESR 140.10 or later, or to Mozilla Thunderbird 150 or later, or to Thunderbird ESR 140.10 or later, where the vulnerability has been fixed.
  • If an upgrade cannot be performed immediately, disable or restrict the form autofill feature in the browser’s privacy settings to prevent the component from storing or revealing input data.
  • After updating or disabling autofill, clear any stored form data from the browser’s local storage to eliminate exposed information.

Generated by OpenCVE AI on April 22, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-359
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Information disclosure in the Form Autofill component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:58.377Z

Reserved: 2026-04-21T12:40:58.662Z

Link: CVE-2026-6765

cve-icon Vulnrichment

Updated: 2026-04-21T20:08:17.962Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.390

Modified: 2026-04-22T16:07:34.370

Link: CVE-2026-6765

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:58Z

Links: CVE-2026-6765 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:00:12Z

Weaknesses