Skip to main content

MSHTML Framework CVE-2026-21513

HIGH
Protection Mechanism Failure (CWE-693)
2026-02-10 secure@microsoft.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Added to CISA KEV
Mar 30, 2026 - 13:28 cisa
CISA KEV
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 10, 2026 - 18:16 nvd
HIGH 8.8

DescriptionCVE.org

Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

AnalysisAI

MSHTML Framework contains a protection mechanism failure (CVE-2026-21513, CVSS 8.8) allowing remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the legacy HTML rendering engine (still used by many Windows applications and email clients) enables execution of malicious content by circumventing the browser's security sandbox and content restrictions.

Technical ContextAI

MSHTML (Trident) is the legacy HTML rendering engine used by Internet Explorer and many Windows applications that render HTML content (Outlook email preview, help files, many third-party apps). Despite IE's deprecation, MSHTML remains a critical attack surface because it's still used for rendering HTML in non-browser contexts. This bypass allows malicious content to execute outside the normal security restrictions applied to rendered HTML.

RemediationAI

Apply Microsoft security update immediately. Consider disabling HTML email rendering in Outlook (plain text mode). Enable ASR rules for MSHTML-based attacks. Monitor for exploitation indicators in email processing logs.

Share

CVE-2026-21513 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy