Skip to main content

Microsoft Edge Android CVE-2026-58300

| EUVDEUVD-2026-41595 MEDIUM
Absolute Path Traversal (CWE-36)
2026-07-03 microsoft GHSA-h677-5v32-7m48
5.5
CVSS 3.1 · NVD
Temporal: 5.4
Share

Severity by source

Vendor (microsoft) PRIMARY
MEDIUM
qualitative
NVD
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
5.4 MEDIUM
cvss
vuln.today AI
6.2 MEDIUM

Local vector confirmed by description; no privileges or interaction required; impact is purely confidentiality loss with no integrity or availability effect.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 07, 2026 - 22:52 NVD
6.2 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jul 03, 2026 - 22:09 vuln.today
CVE Published
Jul 03, 2026 - 20:35 nvd
MEDIUM 6.2

DescriptionNVD

Absolute path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally.

AnalysisAI

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local Android device access
Delivery
Supply crafted absolute path to Edge component
Exploit
Trigger CWE-36 traversal past app sandbox boundary
Execution
Read sensitive files accessible to Edge process
Impact
Exfiltrate credentials or session data

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the Android device (AV:L), meaning the attacker must have physical possession of the device, ADB access, or the ability to interact with the device's local environment through another installed application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.2 score with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N reflects a medium-severity vulnerability whose primary constraint is the local attack vector - exploitation requires the attacker to already have some form of local device access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access to an Android device - whether through physical possession, a malicious co-located app with overlapping file permissions, or compromised ADB access - provides a crafted absolute path input to a vulnerable Edge component, causing it to read and return a file outside its sandboxed storage directory. This could expose sensitive browser artifacts such as saved login credentials, session cookies, browsing history, or cached content stored by the Edge application. …
Remediation The primary fix is to update Microsoft Edge for Android to version 150.0.4078.48 or later via the Google Play Store or your organization's mobile device management (MDM) distribution channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57983 CRITICAL
10.0 Jul 03

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticate

CVE-2026-57981 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) th

CVE-2026-57974 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by lur

CVE-2026-56645 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a networ

CVE-2026-57985 HIGH
8.8 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote a

CVE-2026-50521 HIGH
8.3 Jul 01

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58281 HIGH
8.3 Jul 11

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by

CVE-2026-58289 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run

CVE-2026-58596 HIGH
8.3 Jul 12

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim in

CVE-2026-58288 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th

CVE-2026-58285 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attack

CVE-2026-58287 HIGH
8.3 Jul 03

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a vi

Share

CVE-2026-58300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy