Skip to main content

Microsoft Edge CVE-2026-57987

| EUVDEUVD-2026-41651 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-03 microsoft GHSA-pgfj-jh8g-79g5
6.5
CVSS 3.1 · Vendor: microsoft
Temporal: 5.7
Share

Severity by source

Vendor (microsoft) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CIRCL (temporal)
5.7 MEDIUM
cvss
vuln.today AI
6.5 MEDIUM

Network SSRF triggered by user visiting a page (AV:N, UI:R, PR:N); high confidentiality from internal resource exposure; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 22:03 vuln.today
CVE Published
Jul 03, 2026 - 20:35 nvd
MEDIUM 6.5

DescriptionCVE.org

Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious web page
Delivery
Victim clicks link and page loads in unpatched Edge
Exploit
Browser issues forged SSRF request to internal or external target
Execution
Target service responds to browser as trusted relay
Impact
Sensitive response data exposed to attacker via spoofing channel

Vulnerability AssessmentAI

Exploitation Exploitation requires a user running Microsoft Edge (Chromium-based) earlier than version 150.0.4078.48 to visit an attacker-controlled or compromised web page - this is the sole prerequisite (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is driven by network accessibility (AV:N), low attack complexity (AC:L), no required attacker privileges (PR:N), mandatory user interaction (UI:R), unchanged scope (S:U), and high confidentiality impact with no integrity or availability impact (C:H/I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page containing JavaScript or HTML that, when loaded in an unpatched Edge browser, triggers the browser to issue forged HTTP requests to internal network services (such as metadata endpoints, intranet APIs, or local administrative interfaces) or external destinations that accept the browser as a trusted relay. The victim is lured via phishing email or a compromised website link, satisfying the UI:R requirement. …
Remediation The primary fix is to upgrade Microsoft Edge (Chromium-based) to version 150.0.4078.48 or later, which contains the vendor-released patch per the Microsoft MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57987. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57983 CRITICAL
10.0 Jul 03

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticate

CVE-2026-57981 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) th

CVE-2026-57974 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by lur

CVE-2026-56645 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a networ

CVE-2026-57985 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote a

CVE-2026-50521 HIGH
8.3 Jul 01

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58281 HIGH
8.3 Jul 11

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by

CVE-2026-58289 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run

CVE-2026-58596 HIGH
8.3 Jul 12

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim in

CVE-2026-58288 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58285 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attack

CVE-2026-58287 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a vi

Share

CVE-2026-57987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy