Cyber Resilience

CVE-2026-6765

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0022 11.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6765 is a medium-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 11.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-6765 is an information disclosure vulnerability in the Form Autofill component of Mozilla products. It affects Firefox versions prior to 150, Firefox ESR versions prior to 140.10, Thunderbird versions prior to 150, and Thunderbird versions prior to 140.10. The issue, classified under CWE-359 (Exposure of Private Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 5.3, reflecting medium severity with network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, and low confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation allows disclosure of sensitive information stored or handled by the Form Autofill feature, such as autofill data, though the impact is limited to low confidentiality without affecting integrity or availability.

Mozilla Security Advisories (MFSA 2026-30, 32, 33, and 34) and the associated Bugzilla entry detail the fix applied in the specified versions. Mitigation requires updating to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10, as no additional workarounds are mentioned.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1555.003 Credentials from Web Browsers Credential Access
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Why these techniques?

CVE enables remote unauthenticated extraction of browser autofill data (potentially including credentials), directly facilitating local data access and credential harvesting from web browsers.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2783Same product: Mozilla Firefox
CVE-2026-2803Same product: Mozilla Firefox
CVE-2026-6767Same product: Mozilla Firefox
CVE-2026-6772Same product: Mozilla Firefox
CVE-2026-6770Same product: Mozilla Firefox
CVE-2026-6766Same product: Mozilla Firefox
CVE-2025-11721Same product: Mozilla Firefox
CVE-2025-4086Same product: Mozilla Firefox
CVE-2024-10460Same product: Mozilla Firefox
CVE-2026-6750Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
≤ 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant software patches, which is the exact mitigation that resolves CVE-2026-6765 by updating to Firefox 150 / ESR 140.10 / Thunderbird 150 / 140.10.

prevent

Enforces configuration settings that can mandate approved browser versions or automatic update mechanisms, preventing use of the vulnerable Form Autofill code.

detect

Requires scanning to discover vulnerable software versions on organizational systems so the specific information-disclosure flaw can be identified and remediated.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Ubuntu 22.04 (1 rule)
  • V-260531 Ubuntu 22.04 LTS must configure the SSH daemon to use FIPS 140-3-approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. via CWE-359
Ubuntu 24.04 (1 rule)
  • V-270670 Ubuntu 24.04 LTS must configure the SSH client to use FIPS 140-3 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. via CWE-359

References