CVE-2026-8961

Vulnerability

A spoofing issue exists in the Form Autofill component of Firefox and Thunderbird [1][2][3][4]. This vulnerability allows an attacker to spoof autofill data, potentially tricking users into entering sensitive information into unintended fields. The issue is present in Firefox versions prior to 151, Firefox ESR prior to 140.11, and Thunderbird versions prior to 151 and 140.11 [1][2][3][4].

Exploitation

An attacker could craft a malicious website or email (in Thunderbird, scripting is disabled in email, but the flaw could be exploited in browser-like contexts [2][3]) to inject spoofed autofill entries. The attacker would need to convince the user to interact with the malicious content, such as clicking on a form field, to trigger the spoofing.

Impact

Successful exploitation could lead to the autofill component suggesting fraudulent data, potentially causing the user to submit sensitive information (e.g., credentials, personal details) to an attacker-controlled destination. This could result in information disclosure and credential theft.

Mitigation

The issue is fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, all released on May 19, 2026 [1][2][3][4]. Users should update to these versions or later. No workarounds are available; updating is the recommended mitigation.