Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Microsoft Edge (Chromium-based) on Android contains a user interface misrepresentation vulnerability that allows unauthenticated remote attackers to conduct spoofing attacks over a network. The vulnerability exploits UI rendering to misrepresent critical information to end users, enabling attackers to deceive users into taking unintended actions. While the CVSS score is moderate (5.4), the attack requires user interaction and only impacts confidentiality and integrity; a vendor-released patch is available.
Technical ContextAI
This vulnerability is rooted in CWE-451 (User Interface Misrepresentation of Critical Information), a class of flaws where the user interface fails to accurately represent system state or security-relevant information to the user. In Chromium-based Microsoft Edge, this manifests as incorrect rendering or display of critical UI elements, allowing attackers to spoof security indicators, address bars, or other trust signals that users rely on for making security decisions. The Chromium rendering engine may fail to properly validate or display certain UI properties, creating a gap between what the user perceives and the actual network connection or resource being accessed. Affected product: Microsoft Edge for Android across all versions prior to the patched release.
RemediationAI
Microsoft has released a patched version; users should update Microsoft Edge for Android to the latest version available via the Google Play Store or system app update mechanism. Exact patch version information is available in the official Microsoft advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33119. Until patching is possible, users should exercise heightened caution when viewing security-critical UI elements (such as the address bar, lock icon, or permission prompts) in Edge on Android, and should verify website identities through independent means (e.g., typing the URL directly rather than following links) before entering credentials or sensitive information.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21603