CVE-2026-12068 PUBLISHED

Avira Password Manager credential disclosure via cross-origin autofill in Firefox

Assigner: GEN
Reserved: 12.06.2026 Published: 12.06.2026 Updated: 12.06.2026

Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.

This issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Gen Digital
Product	Avira Password Manager
Versions	Default: affected Version * is affected

Solutions

Avoid triggering Avira Password Manager autofill on web pages that embed cross-origin iframes (for example advertisement frames) when using Firefox. No software update is currently planned.

Credits

Riccardo, an independent security researcher at TU Wien reporter

References

https://www.gendigital.com/us/en/contact-us/security-advisories/

Problem Types

CWE-669 Incorrect Resource Transfer Between Contexts CWE

Impacts

CAPEC-116 Excavation