Skip to main content

Microsoft Edge CVE-2026-58525

| EUVDEUVD-2026-42401 HIGH
Improper Access Control (CWE-284)
2026-07-08 secure@microsoft.com GHSA-465q-rjv4-qq7x
8.2
CVSS 3.1 · Vendor: microsoft
Temporal: 7.1
Share

Severity by source

Vendor (microsoft) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CIRCL (temporal)
7.1 HIGH
cvss
vuln.today AI
8.2 HIGH

Network-delivered browser flaw needing victim interaction (UI:R) but no privileges (PR:N); bypass crosses a security boundary (S:C) and mainly discloses sensitive data (C:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 08, 2026 - 22:04 EUVD
Analysis Generated
Jul 08, 2026 - 21:47 vuln.today
CVE Published
Jul 08, 2026 - 21:16 nvd
HIGH 8.2

DescriptionCVE.org

Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

AnalysisAI

Security feature bypass in Microsoft Edge (Chromium-based) allows a remote, unauthenticated attacker to circumvent a browser security control over the network when a user is lured into interacting with attacker-controlled content. The scope-changing CVSS 8.2 vector and high confidentiality impact suggest the bypass can expose sensitive information beyond the browser's normal security boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious web content
Delivery
Lure victim to interact (click/visit)
Exploit
Bypass Edge access control
Execution
Cross security boundary (scope change)
Impact
Disclose sensitive information

Vulnerability AssessmentAI

Exploitation Exploitation requires user interaction (CVSS UI:R): a victim must actively visit or interact with attacker-controlled web content in Microsoft Edge (Chromium-based) - the attacker cannot trigger it passively or purely remotely. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.2 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - network attack vector, low complexity, no privileges, but requiring user interaction (UI:R), with a scope change and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts or injects malicious web content and lures a victim into interacting with it - for example clicking a crafted link. Because the control that should enforce access boundaries can be bypassed, the page reaches data or a security context it should not, disclosing sensitive information across a security boundary (scope change). …
Remediation Apply the latest Microsoft Edge security update as published in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58525); Edge updates automatically, so ensure the browser is allowed to update and restart it to apply the fix - the exact fixed build should be taken from that advisory as no specific patch version was provided in the input data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Alert all Microsoft Edge users and deploy network-based content filtering to restrict access to untrusted websites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-5419 HIGH POC
8.8 Jun 03

Chrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling

CVE-2022-4135 CRITICAL POC
9.6 Nov 25

Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the r

CVE-2025-49713 HIGH POC
8.8 Jul 02

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized

CVE-2023-5217 HIGH POC
8.8 Sep 28

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remo

CVE-2023-4863 HIGH POC
8.8 Sep 12

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to

CVE-2021-21157 HIGH POC
8.8 Feb 22

Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially

CVE-2021-21128 HIGH POC
8.8 Feb 09

Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit he

CVE-2021-21127 HIGH POC
8.8 Feb 09

Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass

CVE-2020-16009 HIGH POC
8.8 Nov 03

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially expl

CVE-2023-24892 HIGH POC
8.2 Mar 14

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is r

CVE-2023-36887 HIGH POC
7.8 Jul 14

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability

CVE-2025-49741 HIGH POC
7.4 Jul 01

A security vulnerability in No cwe for this (CVSS 7.4) that allows an unauthorized attacker. Risk factors: public PoC av

Share

CVE-2026-58525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy