{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6765", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:58.662Z", "datePublished": "2026-04-21T12:40:58.955Z", "dateUpdated": "2026-04-21T23:34:58.377Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}]}], "title": "Information disclosure in the Form Autofill component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022419"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "credits": [{"lang": "en", "value": "ABDULAZIZ ALASAIQAH"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:58.377Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-359", "lang": "en", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:08:26.504056Z", "id": "CVE-2026-6765", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:08:30.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6765", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:08:26.504056Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:08:17.962Z"}}], "cna": {"title": "Information disclosure in the Form Autofill component", "credits": [{"lang": "en", "value": "ABDULAZIZ ALASAIQAH"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.10", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.10", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022419"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "descriptions": [{"lang": "en", "value": "Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "value": "Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:58.377Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6765", "state": "PUBLISHED", "dateUpdated": "2026-04-21T23:34:58.377Z", "dateReserved": "2026-04-21T12:40:58.662Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:40:58.955Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}], "id": "CVE-2026-6765", "lastModified": "2026-04-22T00:16:32.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:22.390", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022419"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[140.10,141.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-21T22:56:38.889773+00:00", "value": {"mitigation_remediation": ["Upgrade to Mozilla Firefox 150 or later, or to Firefox ESR 140.10 or later, where the vulnerability has been fixed.", "If an upgrade cannot be performed immediately, disable the form autofill feature in the browser\u2019s privacy settings to prevent the component from storing or revealing input data.", "Verify that autofill is no longer storing data by testing with sensitive form fields and confirming that they are not persisted or exposed."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox versions prior to 150 and the Firefox ESR release 140.10 are affected. The issue was resolved in Firefox 150 and ESR 140.10, so any installation of earlier builds may be at risk. The vulnerability applies to all platforms where the Form Autofill feature is available, including Windows, macOS, Linux, and mobile variants.", "description_and_impact": "An information disclosure vulnerability exists in the Form Autofill component of Mozilla Firefox. By exploiting this flaw, an attacker can read sensitive data entered into web forms, such as usernames, passwords, or personal details, that is normally protected from external view. The flaw is categorized as a type of information exposure (CWE-200) and can compromise confidentiality of user credentials and personal data.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable, but the vulnerability is listed as not in the CISA KEV catalog. Because the exploit requires the ability to trigger form autofill for a target user, the attack vector is likely local or requires user interaction; a purely remote attack is not indicated. Nevertheless, the potential for leaking personal or authentication data makes the flaw significant, especially in environments where forms contain sensitive information."}}}}, "created": "2026-04-21T17:00:11.951251+00:00", "updated": "2026-04-21T23:00:03.493073+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}