Debian Security Advisory

DLA-3423-1 epiphany-browser -- LTS security update

Date Reported:
15 May 2023
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2023-26081.
More information:

It was discovered that there was a potential credential stealing attack in epiphany-browser, the default GNOME web browser.

When using a sandboxed Content Security Policy (CSP) or the HTML iframe tag, the sandboxed web content was trusted by the main/surrounding resource. After this change, however, the password manager is disabled entirely in this situations, so that the untrusted web content cannot exfiltrate passwords.

  • CVE-2023-26081

    In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.

For Debian 10 Buster, this problem has been fixed in version

We recommend that you upgrade your epiphany-browser packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: