Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Network-delivered browser flaw needing victim interaction (UI:R) but no privileges (PR:N); bypass crosses a security boundary (S:C) and mainly discloses sensitive data (C:H).
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
AnalysisAI
Security feature bypass in Microsoft Edge (Chromium-based) allows a remote, unauthenticated attacker to circumvent a browser security control over the network when a user is lured into interacting with attacker-controlled content. The scope-changing CVSS 8.2 vector and high confidentiality impact suggest the bypass can expose sensitive information beyond the browser's normal security boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires user interaction (CVSS UI:R): a victim must actively visit or interact with attacker-controlled web content in Microsoft Edge (Chromium-based) - the attacker cannot trigger it passively or purely remotely. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.2 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - network attack vector, low complexity, no privileges, but requiring user interaction (UI:R), with a scope change and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts or injects malicious web content and lures a victim into interacting with it - for example clicking a crafted link. Because the control that should enforce access boundaries can be bypassed, the page reaches data or a security context it should not, disclosing sensitive information across a security boundary (scope change). … |
| Remediation | Apply the latest Microsoft Edge security update as published in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58525); Edge updates automatically, so ensure the browser is allowed to update and restart it to apply the fix - the exact fixed build should be taken from that advisory as no specific patch version was provided in the input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Alert all Microsoft Edge users and deploy network-based content filtering to restrict access to untrusted websites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Edge Chromium
View allChrome's V8 JavaScript engine contains an out-of-bounds read and write vulnerability (CVE-2025-5419, CVSS 8.8) enabling
Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the r
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remo
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to
Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially
Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit he
Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially expl
Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is r
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability
A security vulnerability in No cwe for this (CVSS 7.4) that allows an unauthorized attacker. Risk factors: public PoC av
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42401
GHSA-465q-rjv4-qq7x