Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Stored or reflected cross-site scripting in Microsoft Azure Stack Edge enables an authenticated high-privileged attacker to inject malicious script into the management web interface, leading to spoofing attacks across a network with scope change to other components. With CVSS 8.4 reflecting high confidentiality, integrity, and availability impact plus required user interaction, successful exploitation could compromise adjacent Azure resources or administrative sessions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Azure Stack Edge is Microsoft's hybrid cloud edge appliance combining compute, storage, and networking with Azure-managed services, typically administered through a local or Azure-portal-based web UI. The flaw is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input rendered into the management web pages is not properly encoded or sanitized before being returned to the browser. This allows attacker-supplied HTML/JavaScript to execute in the context of the administrative web application, and the CVSS Scope:Changed indicator suggests the injected script can reach security authorities beyond the vulnerable component itself - likely the broader Azure management plane the appliance integrates with.
RemediationAI
Apply the firmware/software update referenced in Microsoft's MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41098 - Azure Stack Edge updates are delivered through the Azure portal and the appliance's local web UI, so administrators should check the device update blade and install the latest available package; exact patched version was not provided in the input data and should be taken from MSRC. Until patched, restrict access to the Azure Stack Edge local management endpoint to a dedicated jump host on an isolated management VLAN (trade-off: breaks ad-hoc admin access from end-user workstations), require all administrators to use a hardened browser profile or dedicated admin workstation when interacting with the appliance to limit cross-tenant cookie/script exposure (trade-off: operational friction), and review device administrator role assignments to minimize the population of PR:H accounts that could trigger the bug.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35507
GHSA-5p59-gxh8-558r