Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Microsoft Edge (Chromium-based) Spoofing Vulnerability
AnalysisAI
Microsoft Edge (Chromium-based) allows remote attackers to spoof visual elements through a low-complexity network-based attack requiring user interaction, potentially disclosing limited information to unauthenticated users. The vulnerability affects all versions of Microsoft Edge based on Chromium and carries a CVSS score of 4.3 with low confidentiality impact but no code execution or availability risk. A vendor-released patch is available.
Technical ContextAI
This spoofing vulnerability in Microsoft Edge (Chromium-based) exploits weaknesses in the browser's rendering or UI validation mechanisms, likely related to how the application handles display of security-critical visual elements such as address bars, security indicators, or authentication dialogs. The Chromium browser engine, which powers Microsoft Edge, implements multiple layers of user interface protection; however, this CVE indicates a gap in spoofing defenses. The attack requires network accessibility (AV:N) and low attack complexity (AC:L), suggesting the flaw does not require exploiting additional system conditions or multiple chained vulnerabilities. While no CWE is specified, spoofing vulnerabilities typically fall under improper input validation or inadequate visual authentication verification.
RemediationAI
Vendor-released patch is available from Microsoft. Users should update Microsoft Edge (Chromium-based) to the patched version specified in the Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33118). Most Microsoft Edge installations configured with automatic updates will receive the patch automatically; manual updates can be triggered via the browser's Settings menu (Help > About Microsoft Edge). No workarounds are documented; patching is the recommended remediation. Review the advisory for the exact patched build version and apply it immediately.
Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticate
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) th
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by lur
Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a networ
Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote a
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th
Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by
Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run
Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim in
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th
Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attack
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a vi
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21601