Skip to main content

Microsoft Edge CVE-2026-32208

| EUVDEUVD-2026-38085 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 secure@microsoft.com GHSA-q6cc-35v5-92vm
5.4
CVSS 3.1 · NVD
Temporal: 7.7
Share

Severity by source

Vendor (microsoft) PRIMARY
HIGH
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CIRCL (temporal)
7.7 HIGH
cvss
vuln.today AI
6.1 MEDIUM

Browser XSS resulting in spoofing typically requires the victim to load attacker content (UI:R), no prior auth to the browser (PR:N), crosses the same-origin boundary (S:C), with limited C/I impact and no availability loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 22, 2026 - 20:38 NVD
HIGH MEDIUM
CVSS changed
Jun 22, 2026 - 20:38 NVD
8.8 (HIGH) 5.4 (MEDIUM)
Analysis Generated
Jun 19, 2026 - 21:39 vuln.today
CVE Published
Jun 19, 2026 - 21:16 nvd
HIGH 8.8

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker obtains low-privilege content-posting access
Delivery
Inject unsanitized payload into web content
Exploit
Victim's Edge browser renders crafted page
Execution
XSS executes in trusted browser context
Impact
Spoof UI or exfiltrate session data

Vulnerability AssessmentAI

Exploitation Per the CVSS vector, the attacker must already hold some level of privilege (PR:L) on the targeted system or service - for example, an account on a web application that allows posting content the victim later renders in Edge - and the victim must visit a page where Edge processes attacker-controlled input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) yields 8.8 High, indicating network-reachable exploitation with low complexity, low privileges, and no user interaction, with high impact across CIA - an unusually severe rating for an XSS classified only as 'spoofing.' This is a notable inconsistency: the description characterizes the impact as spoofing, which typically maps to integrity-only, yet the vector asserts high confidentiality and availability impact as well, suggesting the assigned vector may overstate impact or that the underlying flaw enables more than visual spoofing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds limited privileges (e.g., the ability to host or inject content into a page the victim visits, or low-level access to a service the victim's browser interacts with) crafts a malicious page or response containing unsanitized markup that Edge fails to neutralize during page generation. When the victim's browser renders the content, injected script executes in a trusted context and spoofs UI elements - for example, faking address-bar indicators or dialog boxes - to trick the user into divulging credentials or approving sensitive actions. …
Remediation Patch available per vendor advisory - update Microsoft Edge to the latest stable channel build as listed in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32208, which for Edge is typically delivered automatically via the Edge Update service (MicrosoftEdgeUpdate.exe). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Microsoft Edge deployments and identify business-critical uses. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-5419 HIGH POC
8.8 Jun 03

Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling

CVE-2022-4135 CRITICAL POC
9.6 Nov 25

Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the r

CVE-2025-49713 HIGH POC
8.8 Jul 02

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized

CVE-2023-5217 HIGH POC
8.8 Sep 28

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remo

CVE-2023-4863 HIGH POC
8.8 Sep 12

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to

CVE-2021-21157 HIGH POC
8.8 Feb 22

Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially

CVE-2021-21128 HIGH POC
8.8 Feb 09

Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit he

CVE-2021-21127 HIGH POC
8.8 Feb 09

Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass

CVE-2020-16009 HIGH POC
8.8 Nov 03

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially expl

CVE-2023-24892 HIGH POC
8.2 Mar 14

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is r

CVE-2023-36887 HIGH POC
7.8 Jul 14

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability

CVE-2025-49741 HIGH POC
7.4 Jul 01

A security vulnerability in No cwe for this (CVSS 7.4) that allows an unauthorized attacker. Risk factors: public PoC av

Share

CVE-2026-32208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy