{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-12068: Avira Password Manager credential disclosure via cross-origin autofill in Firefox","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-12068","status":"final","version":"1","initial_release_date":"2026-06-12T22:19:18.986Z","current_release_date":"2026-06-15T16:01:19.318Z","revision_history":[{"date":"2026-06-12T22:19:18.986Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.\n\nThis issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-12068 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-12068"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-12068"},{"category":"external","summary":"gendigital.com","url":"https://www.gendigital.com/us/en/contact-us/security-advisories/"}]},"product_tree":{"branches":[{"category":"vendor","name":"Gen Digital","branches":[{"category":"product_name","name":"Avira Password Manager","branches":[{"category":"product_version","name":"*","product":{"name":"Gen Digital Avira Password Manager *","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:gen_digital:avira_password_manager:\\*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-12068","title":"Avira Password Manager credential disclosure via cross-origin autofill in Firefox","notes":[{"category":"description","text":"Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection.\n\nThis issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","baseScore":7.4,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}