Skip to main content

Avira Password Manager CVE-2026-12068

| EUVDEUVD-2026-36632 HIGH
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-06-12 GEN GHSA-h53c-vv76-w4w5
7.4
CVSS 3.1 · Vendor: GEN
Share

Severity by source

Vendor (GEN) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
vuln.today AI
7.4 HIGH

Network-delivered via a malicious page, no auth needed, but requires user interaction to trigger autofill; credentials cross origin (S:C) with confidentiality-only impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GEN).

CVSS VectorVendor: GEN

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 12, 2026 - 23:17 vuln.today
CVE Published
Jun 12, 2026 - 22:19 cve.org
HIGH 7.4

DescriptionCVE.org

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.

This issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.

AnalysisAI

Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to malicious page
Delivery
Embed target login form in cross-origin iframe
Exploit
User interacts triggering autofill
Execution
Extension selects attacker-controlled fields
Persist
Credentials leak to parent origin
Impact
Exfiltrate to attacker server

Vulnerability AssessmentAI

Exploitation Requires (1) the victim to have Avira Password Manager installed in Firefox with credentials saved for the targeted origin, (2) the victim to visit an attacker-controlled page that successfully embeds a cross-origin iframe referencing or impersonating the targeted login form, (3) user interaction with the page sufficient to trigger autofill (UI:R in the CVSS vector), and (4) the targeted site to NOT set X-Frame-Options: DENY or CSP frame-ancestors restrictions that would block being iframed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N paints a serious confidentiality-only picture: network-reachable, low complexity, no privileges, but requires user interaction (likely clicking or focusing a form) and produces a scope change as credentials cross origin boundaries. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a phishing or watering-hole page that embeds a victim site's login form in a hidden or visually disguised cross-origin iframe; when the user visits and interacts with the page (UI:R), Avira Password Manager autofills credentials into attacker-controlled fields that the extension incorrectly selects, and the attacker exfiltrates them via the parent frame. No public exploit is identified at time of analysis, but the attack pattern is well-known from prior password manager iframe disclosure research.
Remediation Patch available per vendor advisory - update Avira Password Manager to the version published in Gen Digital's security advisories at https://www.gendigital.com/us/en/contact-us/security-advisories/; an exact fixed version is not specified in the supplied data and should be confirmed against that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Notify all users with Avira Password Manager Firefox extension to immediately disable it and switch to alternative password managers (e.g., Bitwarden, 1Password, KeePass) with current security patches applied. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy