Primary

Context

KeePassXC-Browser Credential Autofill Vulnerability in Sandboxed Iframes

Vulnerability

A vulnerability exists in KeePassXC-Browser versions through 1.9.9.2, where the extension improperly autofills or prompts to fill credentials in documents under a browser-enforced Content Security Policy (CSP) directive with sandboxed iframes. This flaw allows attacker-controlled scripts in the sandboxed context to access and exfiltrate filled form data. The issue arises because the extension fails to recognize and respect the security restrictions imposed by the browser on sandboxed content, even within the same domain.

Impact

Exploitation of this vulnerability allows for unauthorized access to and exfiltration of stored credentials from forms in documents rendered within sandboxed iframes.

Remediation

Users can update to KeePassXC-Browser version 1.9.9.3, which includes a fix for this vulnerability by preventing credential autofill in sandboxed iframes.

Added: Dec 17, 2025, 6:20 PM

Updated: Dec 17, 2025, 7:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

6.4

remediation

0.0

relevance

1.4

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

6.4

remediation

0.0

relevance

1.4

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

KeePassXC-Browser Credential Autofill Vulnerability in Sandboxed Iframes

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating