Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local vector confirmed by description; no privileges or interaction required; impact is purely confidentiality loss with no integrity or availability effect.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
Absolute path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally.
AnalysisAI
Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the Android device (AV:L), meaning the attacker must have physical possession of the device, ADB access, or the ability to interact with the device's local environment through another installed application. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.2 score with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N reflects a medium-severity vulnerability whose primary constraint is the local attack vector - exploitation requires the attacker to already have some form of local device access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access to an Android device - whether through physical possession, a malicious co-located app with overlapping file permissions, or compromised ADB access - provides a crafted absolute path input to a vulnerable Edge component, causing it to read and return a file outside its sandboxed storage directory. This could expose sensitive browser artifacts such as saved login credentials, session cookies, browsing history, or cached content stored by the Edge application. … |
| Remediation | The primary fix is to update Microsoft Edge for Android to version 150.0.4078.48 or later via the Google Play Store or your organization's mobile device management (MDM) distribution channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticate
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) th
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by lur
Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a networ
Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote a
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th
Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by
Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run
Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim in
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw th
Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attack
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a vi
Same weakness CWE-36 – Absolute Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41595
GHSA-h677-5v32-7m48