Description
Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in Firefox’s Form Autofill component and permits an attacker to inject forged autofill suggestions. The flaw is a spoofing weakness that affects data integrity and user trust but does not provide an execution path for arbitrary code. The description does not explicitly state the attack vector; it is inferred that an attacker would need to lure a user to a malicious web page that triggers autofill behavior, potentially causing the user to accept incorrect values or credentials, which could lead to credential theft or fraudulent input on web forms.

Affected Systems

The vulnerability affects Mozilla Firefox versions before 151 and Firefox ESR versions before 140.11. Any installation of those releases that utilizes the default autofill functionality is susceptible until an update is applied.

Risk and Exploitability

No EPSS score is publicly available and the flaw is not listed in CISA’s KEV catalog, indicating limited current exploitation. The risk for a typical user remains low to moderate, though the potential impact on the integrity of form inputs is significant. Attackers would need to lure a user to a malicious site that triggers the autofill behavior; no remote code execution or privilege escalation is offered by the flaw. The description does not provide explicit exploitability details, so the assessment relies on the lack of exploitation evidence and the inferred attack path.

Generated by OpenCVE AI on May 19, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Firefox 151 or newer, or Firefox ESR 140.11 or later.
  • If an immediate update is not possible, disable the autofill feature by setting dom.autofill.enabled to false in about:config.
  • After disabling autofill, ensure users are educated about verifying form data and consider using two‑factor authentication to mitigate credential misuse.

Generated by OpenCVE AI on May 19, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-613
CWE-647

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Spoofing issue in the Form Autofill component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:50.926Z

Reserved: 2026-05-19T12:29:57.815Z

Link: CVE-2026-8961

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:52.490

Modified: 2026-05-19T14:23:47.477

Link: CVE-2026-8961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:30:08Z

Weaknesses