{"api_version":"1","generated_at":"2026-06-14T02:57:47+00:00","cve":"CVE-2026-12068","urls":{"html":"https://cve.report/CVE-2026-12068","api":"https://cve.report/api/cve/CVE-2026-12068.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-12068","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-12068"},"summary":{"title":"Avira Password Manager credential disclosure via cross-origin autofill in Firefox","description":"Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.\n\nThis issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.","state":"PUBLISHED","assigner":"GEN","published_at":"2026-06-12 23:16:33","updated_at":"2026-06-12 23:16:33"},"problem_types":["CWE-669","CWE-669 CWE-669 Incorrect Resource Transfer Between Contexts"],"metrics":[{"version":"3.1","source":"security@nortonlifelock.com","type":"Secondary","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.4","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.gendigital.com/us/en/contact-us/security-advisories/","name":"https://www.gendigital.com/us/en/contact-us/security-advisories/","refsource":"security@nortonlifelock.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-12068","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12068","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Gen Digital","product":"Avira Password Manager","version":"affected *","platforms":["Firefox","Windows","macOS","Linux"]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Avoid triggering Avira Password Manager autofill on web pages that embed cross-origin iframes (for example advertisement frames) when using Firefox. No software update is currently planned.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Riccardo, an independent security researcher at TU Wien","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"12068","cve":"CVE-2026-12068","epss":"0.000390000","percentile":"0.122440000","score_date":"2026-06-13","updated_at":"2026-06-14 00:08:31"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"affected","platforms":["Firefox","Windows","macOS","Linux"],"product":"Avira Password Manager","vendor":"Gen Digital","versions":[{"status":"affected","version":"*"}]}],"credits":[{"lang":"en","type":"reporter","value":"Riccardo, an independent security researcher at TU Wien"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.<p>This issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.</p>"}],"value":"Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.\n\nThis issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux."}],"impacts":[{"capecId":"CAPEC-116","descriptions":[{"lang":"en","value":"CAPEC-116 Excavation"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-669","description":"CWE-669 Incorrect Resource Transfer Between Contexts","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-12T22:19:18.986Z","orgId":"dbd8429d-f261-4b1e-94cc-ae3132817e2e","shortName":"GEN"},"references":[{"url":"https://www.gendigital.com/us/en/contact-us/security-advisories/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Avoid triggering Avira Password Manager autofill on web pages that embed cross-origin iframes (for example advertisement frames) when using Firefox. <strong>No software update is currently planned.</strong>"}],"value":"Avoid triggering Avira Password Manager autofill on web pages that embed cross-origin iframes (for example advertisement frames) when using Firefox. No software update is currently planned."}],"source":{"discovery":"EXTERNAL"},"title":"Avira Password Manager credential disclosure via cross-origin autofill in Firefox","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"dbd8429d-f261-4b1e-94cc-ae3132817e2e","assignerShortName":"GEN","cveId":"CVE-2026-12068","datePublished":"2026-06-12T22:19:18.986Z","dateReserved":"2026-06-12T09:09:57.930Z","dateUpdated":"2026-06-12T22:19:18.986Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-12 23:16:33","lastModifiedDate":"2026-06-12 23:16:33","problem_types":["CWE-669","CWE-669 CWE-669 Incorrect Resource Transfer Between Contexts"],"metrics":{"cvssMetricV31":[{"source":"security@nortonlifelock.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"12068","Ordinal":"1","Title":"Avira Password Manager credential disclosure via cross-origin au","CVE":"CVE-2026-12068","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"12068","Ordinal":"1","NoteData":"Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.\n\nThis issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.","Type":"Description","Title":"Avira Password Manager credential disclosure via cross-origin au"}]}}}