Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Browser XSS resulting in spoofing typically requires the victim to load attacker content (UI:R), no prior auth to the browser (PR:N), crosses the same-origin boundary (S:C), with limited C/I impact and no availability loss.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Per the CVSS vector, the attacker must already hold some level of privilege (PR:L) on the targeted system or service - for example, an account on a web application that allows posting content the victim later renders in Edge - and the victim must visit a page where Edge processes attacker-controlled input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) yields 8.8 High, indicating network-reachable exploitation with low complexity, low privileges, and no user interaction, with high impact across CIA - an unusually severe rating for an XSS classified only as 'spoofing.' This is a notable inconsistency: the description characterizes the impact as spoofing, which typically maps to integrity-only, yet the vector asserts high confidentiality and availability impact as well, suggesting the assigned vector may overstate impact or that the underlying flaw enables more than visual spoofing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds limited privileges (e.g., the ability to host or inject content into a page the victim visits, or low-level access to a service the victim's browser interacts with) crafts a malicious page or response containing unsanitized markup that Edge fails to neutralize during page generation. When the victim's browser renders the content, injected script executes in a trusted context and spoofs UI elements - for example, faking address-bar indicators or dialog boxes - to trick the user into divulging credentials or approving sensitive actions. … |
| Remediation | Patch available per vendor advisory - update Microsoft Edge to the latest stable channel build as listed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32208, which for Edge is typically delivered automatically via the Edge Update service (MicrosoftEdgeUpdate.exe). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Microsoft Edge deployments and identify business-critical uses. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Edge Chromium
View allChrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling
Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the r
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remo
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to
Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially
Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit he
Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially expl
Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is r
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability
A security vulnerability in No cwe for this (CVSS 7.4) that allows an unauthorized attacker. Risk factors: public PoC av
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38085
GHSA-q6cc-35v5-92vm