Skip to main content

Azure Stack Edge EUVDEUVD-2026-35507

| CVE-2026-41098 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-5p59-gxh8-558r
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:35 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.4

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Stored or reflected cross-site scripting in Microsoft Azure Stack Edge enables an authenticated high-privileged attacker to inject malicious script into the management web interface, leading to spoofing attacks across a network with scope change to other components. With CVSS 8.4 reflecting high confidentiality, integrity, and availability impact plus required user interaction, successful exploitation could compromise adjacent Azure resources or administrative sessions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Azure Stack Edge is Microsoft's hybrid cloud edge appliance combining compute, storage, and networking with Azure-managed services, typically administered through a local or Azure-portal-based web UI. The flaw is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input rendered into the management web pages is not properly encoded or sanitized before being returned to the browser. This allows attacker-supplied HTML/JavaScript to execute in the context of the administrative web application, and the CVSS Scope:Changed indicator suggests the injected script can reach security authorities beyond the vulnerable component itself - likely the broader Azure management plane the appliance integrates with.

RemediationAI

Apply the firmware/software update referenced in Microsoft's MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41098 - Azure Stack Edge updates are delivered through the Azure portal and the appliance's local web UI, so administrators should check the device update blade and install the latest available package; exact patched version was not provided in the input data and should be taken from MSRC. Until patched, restrict access to the Azure Stack Edge local management endpoint to a dedicated jump host on an isolated management VLAN (trade-off: breaks ad-hoc admin access from end-user workstations), require all administrators to use a hardened browser profile or dedicated admin workstation when interacting with the appliance to limit cross-tenant cookie/script exposure (trade-off: operational friction), and review device administrator role assignments to minimize the population of PR:H accounts that could trigger the bug.

Share

EUVD-2026-35507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy