CVE-2026-12068

Vulnerability

Avira Password Manager, when used as a browser extension in Mozilla Firefox, contains an information disclosure vulnerability due to incorrect autofill field selection. The extension autofills credentials into the parent page, but a cross-origin iframe can access these filled credentials via improper selection. Affected versions: not specified in available references, but affects the extension on Windows, macOS, and Linux [1].

Exploitation

An attacker needs to host a malicious webpage containing a cross-origin iframe that loads the target site. When the user has Avira Password Manager installed and autofill is enabled, the extension may incorrectly autofill credentials into the iframe, allowing the attacker to steal them [1].

Impact

Successful exploitation allows the attacker to obtain the user's credentials (username and password) for the parent website, leading to unauthorized access to the victim's accounts [1].

Mitigation

The advisory [1] is listed but no patch version is disclosed. Until a fix is released, users can disable autofill in Avira Password Manager or use a different password manager. Gen Digital (the vendor) should provide a patched version; check their security advisories page [1] for updates.