MSHTML Framework CVE-2026-21513
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
AnalysisAI
MSHTML Framework contains a protection mechanism failure (CVE-2026-21513, CVSS 8.8) allowing remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the legacy HTML rendering engine (still used by many Windows applications and email clients) enables execution of malicious content by circumventing the browser's security sandbox and content restrictions.
Technical ContextAI
MSHTML (Trident) is the legacy HTML rendering engine used by Internet Explorer and many Windows applications that render HTML content (Outlook email preview, help files, many third-party apps). Despite IE's deprecation, MSHTML remains a critical attack surface because it's still used for rendering HTML in non-browser contexts. This bypass allows malicious content to execute outside the normal security restrictions applied to rendered HTML.
RemediationAI
Apply Microsoft security update immediately. Consider disabling HTML email rendering in Outlook (plain text mode). Enable ASR rules for MSHTML-based attacks. Monitor for exploitation indicators in email processing logs.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today