CVE-2026-12322

Vulnerability

A clickjacking vulnerability exists in the Widget: Gtk component of Firefox. This UI redressing issue allows an attacker to overlay transparent or opaque elements on top of legitimate user interface elements, potentially tricking a user into clicking on unintended targets. The vulnerability affects Firefox versions prior to 152.

Exploitation

An attacker can exploit this flaw by crafting a malicious web page that presents a deceptive overlay, such as invisible buttons or frames, positioned over trusted UI elements. The attacker must then convince a user to interact with the page, typically through social engineering or by embedding the page in a frame. No special network position or authentication is required beyond hosting the malicious content.

Impact

Successful exploitation can lead to the user performing unintended actions, such as granting permissions, making purchases, or submitting forms, without their informed consent. This can result in privilege escalation or security bypass within the browser context.

Mitigation

The vulnerability is fixed in Firefox 152, released on June 16, 2026 [1]. Users are strongly advised to update to the latest version. No workarounds are available for affected versions.