Under specific conditions, a malicious webpage may trigger autofill population after two consecutive taps, potentially without clear or intentional user consent. This could result in disclosure of stored autofill data such as addresses, email, or phone number metadata.
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. What is the version information for this release? Microsoft Edge Version Date Released Based on Chromium Version 145.0.3800.58 02/17/2026 145.0.7632.45/.46 According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).
<a href="https://www.linkedin.com/in/manojkumar-j-7ba35b202/">Manojkumar Jaganathan</a> with <a href="https://www.hackerbro.net/">Hacker Bro Technologies</a>, Jaganathan Ananthakrishnan with <a href="https://hackerbro.net/">HackerBro Technologies</a>