CVE-2023-26081: 
NixOS vulnerability analysis and mitigation

CVE-2023-26081 affects Epiphany (also known as GNOME Web) through version 43.0. The vulnerability allows untrusted web content to trick users into exfiltrating passwords by exploiting the browser's autofill functionality in sandboxed contexts (MITRE CVE, Debian Security).

The vulnerability occurs when the password manager autofills credentials into untrusted pages that are either sandboxed via Content Security Policy (CSP) or contained within sandboxed iframes. The password manager incorrectly trusts these sandboxed contexts, allowing potential credential theft. The issue has a CVSS 3.1 base score of 7.5 (High), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Ubuntu Security).

If exploited, this vulnerability could lead to the theft of stored passwords when users visit malicious websites that utilize sandboxed content. The attack specifically targets the browser's password manager functionality, potentially exposing sensitive login credentials to unauthorized parties (Google Security Research).

The vulnerability has been fixed in Epiphany version 43.1 and later releases. The fix involves completely disabling the password manager functionality in sandboxed contexts to prevent credential exfiltration. Users are advised to upgrade to the patched versions available through their distribution's package management system (Fedora Update).