CVE-2026-8961 - Vulnerability Details

- Spoofing issue in the Form Autofill component

Description

Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Published: 2026-05-19

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a form autofill spoofing flaw that permits malicious actors to supply forged autofill suggestions to the browser’s autocomplete mechanism, thereby potentially inserting incorrect data into user input fields. This flaw does not provide a pathway for code execution or privileged escalation, but it can undermine the integrity of form entries. The weakness is categorized as spoofing (CWE-290).

Affected Systems

Affected systems are Mozilla Firefox versions older than 151 and Firefox ESR releases older than 140.11, as well as Mozilla Thunderbird versions older than 151 and Thunderbird ESR releases older than 140.11. Any installation employing the default autofill feature remains vulnerable until updated to the patched releases.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity, while an EPSS score of <1% indicates a low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Attackers would likely need to lure a user to a malicious web page that triggers the autofill component in order to inject spoofed suggestions; therefore, the attack vector is inferred based on the component’s operation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`140.11`	unaffected	≤ 140.*
`151`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`140.11`	unaffected	≤ 140.*
`151`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[140.11,140.*]`	unaffected	generic	—
`[151,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Firefox 151 (or Firefox ESR 140.11) and to Thunderbird 151 (or Thunderbird ESR 140.11) or newer releases.
If an update is not possible, disable the autofill feature by setting dom.autofill.enabled to false in about:config.
Have users double‑check autofilled form data before submission to ensure correctness.

Generated by OpenCVE AI on May 22, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4592-1	firefox-esr security update
Debian DLA	DLA-4594-1	thunderbird security update
Debian DSA	DSA-6283-1	firefox-esr security update
Debian DSA	DSA-6288-1	thunderbird security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1962625
https://nvd.nist.gov/vuln/detail/CVE-2026-8961
https://www.cve.org/CVERecord?id=CVE-2026-8961
https://www.mozilla.org/security/advisories/mfsa2026-46/
https://www.mozilla.org/security/advisories/mfsa2026-48/
https://www.mozilla.org/security/advisories/mfsa2026-48/#CVE-2026-8961
https://www.mozilla.org/security/advisories/mfsa2026-50/
https://www.mozilla.org/security/advisories/mfsa2026-51/

History

Fri, 22 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-472
References		https://nvd.nist.gov/vuln/detail/CVE-2026-8961 https://www.cve.org/CVERecord?id=CVE-2026-8961 https://www.mozilla.org/security/advisories/mfsa2026-48/#CVE-2026-8961
Metrics	threat_severity `None`	threat_severity `Low`

Wed, 20 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-613 CWE-647

Wed, 20 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::*
Vendors & Products		Mozilla thunderbird

Wed, 20 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-290
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description	Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.	Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References		https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/

Tue, 19 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-613 CWE-647

Tue, 19 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title		Spoofing issue in the Form Autofill component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1962625 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-05-19T12:29:58.485Z

Updated: 2026-05-20T15:46:30.150Z

Reserved: 2026-05-19T12:29:57.815Z

Link: CVE-2026-8961

Vulnrichment

Updated: 2026-05-20T15:12:07.903Z

NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.490

Modified: 2026-05-20T17:58:44.947

Link: CVE-2026-8961

Redhat

Severity : Low

Publid Date: 2026-05-19T12:29:58Z

Links: CVE-2026-8961 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-22T02:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object