CVE-2026-6765
Published: 21 April 2026
Summary
CVE-2026-6765 is a medium-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 11.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-6765 is an information disclosure vulnerability in the Form Autofill component of Mozilla products. It affects Firefox versions prior to 150, Firefox ESR versions prior to 140.10, Thunderbird versions prior to 150, and Thunderbird versions prior to 140.10. The issue, classified under CWE-359 (Exposure of Private Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 5.3, reflecting medium severity with network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, and low confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation allows disclosure of sensitive information stored or handled by the Form Autofill feature, such as autofill data, though the impact is limited to low confidentiality without affecting integrity or availability.
Mozilla Security Advisories (MFSA 2026-30, 32, 33, and 34) and the associated Bugzilla entry detail the fix applied in the specified versions. Mitigation requires updating to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10, as no additional workarounds are mentioned.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24106
Vulnerability details
Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated extraction of browser autofill data (potentially including credentials), directly facilitating local data access and credential harvesting from web browsers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of security-relevant software patches, which is the exact mitigation that resolves CVE-2026-6765 by updating to Firefox 150 / ESR 140.10 / Thunderbird 150 / 140.10.
Enforces configuration settings that can mandate approved browser versions or automatic update mechanisms, preventing use of the vulnerable Form Autofill code.
Requires scanning to discover vulnerable software versions on organizational systems so the specific information-disclosure flaw can be identified and remediated.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Ubuntu 22.04 (1 rule)
- V-260531 Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. via CWE-359
Ubuntu 24.04 (1 rule)
- V-270670 Ubuntu 24.04 LTS must configure the SSH client to use FIPS 140-3 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. via CWE-359