Skip to main content

Microsoft Edge Chromium Based

47 CVEs product

Monthly

CVE-2026-58596 HIGH PATCH Exploit Likely This Week

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-58281 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by luring a victim into interacting with crafted content that triggers unsafe deserialization (CWE-502). The flaw carries CVSS 8.3 with a scope change, meaning successful exploitation can break out of the browser's security boundary, though there is no public exploit identified at time of analysis and Microsoft has already shipped a fix.

Deserialization Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.7%
CVE-2026-58523 MEDIUM PATCH This Month

Security feature bypass in Microsoft Edge for Android exposes high-confidentiality data to unauthenticated network attackers who can induce user interaction. The vulnerability stems from improper access control (CWE-284) in the Chromium-based mobile browser, allowing an attacker to circumvent a security boundary and access protected information without credentials. No active exploitation is confirmed (CISA KEV absent, temporal metric E:U), and a vendor patch is available via MSRC, making this a patch-priority item rather than an emergency response.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58291 MEDIUM PATCH This Month

Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.6%
CVE-2026-45489 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows a remote unauthenticated attacker to present deceptive browser UI to a victim user, resulting in high-confidentiality-impact information disclosure. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms exploitation is network-delivered and requires only a single user interaction, consistent with a classic UI-spoofing or URL-spoofing class of flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor-released patch is available.

Microsoft Google Microsoft Edge Chromium Based Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58597 MEDIUM PATCH This Month

Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-58524 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled content. The flaw stems from improper input neutralization during web page generation (CWE-79), allowing injected scripts to execute within the browser's context and manipulate rendered content. No public exploit code or active exploitation has been identified at time of analysis, and Microsoft has released a patch addressing the issue.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-58300 MEDIUM PATCH This Month

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.4%
CVE-2026-58298 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets a remote attacker trick a victim into rendering attacker-controlled script that spoofs UI or content over the network. Because the CVSS scope is changed (S:C) and user interaction is required (UI:R), a lured user visiting or interacting with a malicious page can be deceived into trusting forged content, undermining browser security-context integrity. Reported by Microsoft with a vendor patch available; EPSS is low (0.28%, 20th percentile) and no public exploit identified at time of analysis.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-58297 HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-58296 HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-58295 HIGH PATCH This Week

Security-feature bypass in Microsoft Edge (Chromium-based) stems from a type-confusion (CWE-843) flaw that a remote, unauthenticated attacker can trigger over the network to defeat a browser security boundary. Microsoft has published a fix via its Update Guide (CVE-2026-58295), and the issue carries a CVSS 8.3 with a scope change reflecting the crossed trust boundary. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58294 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthorized, remote attacker can trigger to run arbitrary code. Exploitation requires the victim to interact with attacker-controlled web content, and the CVSS 3.1 vector marks high attack complexity (AC:H) despite requiring no privileges (PR:N). Microsoft has released a fix; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58293 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets an unauthorized attacker run arbitrary code when a victim is lured to interact with attacker-controlled content, stemming from external control of a file name or path (CWE-73). The flaw is network-reachable but non-trivial to exploit, requiring user interaction and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patched build, and EPSS estimates a low 0.53% exploitation probability with SSVC reporting no observed exploitation.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-58292 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run code on a victim's machine when the user is lured into interacting with attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and, per its CVSS scope-change metric, is consistent with a renderer/sandbox boundary escape. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58290 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type confusion flaw (CWE-843) that an unauthorized attacker can trigger over the network to run arbitrary code, provided the victim interacts with attacker-controlled web content. Microsoft self-reported and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) and required user interaction (UI:R) temper an otherwise network-reachable, unauthenticated attack surface.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58289 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run arbitrary code when a victim is lured to a malicious web page, via a type-confusion flaw (CWE-843) in the browser engine. The CVSS:3.1 score is 8.3 with a scope change (S:C), indicating a likely sandbox/renderer boundary escape, though exploitation carries high attack complexity and requires user interaction. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, with EPSS at 0.53% (41st percentile).

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-58288 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated, network-based attacker can trigger to run arbitrary code in the browser process. Exploitation requires the victim to interact — typically by visiting a malicious or compromised web page — and the CVSS 3.1 score of 8.3 reflects high attack complexity plus a scope change consistent with a renderer sandbox escape. There is no public exploit identified at time of analysis and no CISA KEV listing, though the underlying Chromium engine origin (tags reference Google) means a shared upstream root cause across Chromium browsers is likely.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58286 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker misrepresent trusted UI or content to a victim by abusing improper access control (CWE-284), per Microsoft's own advisory (MSRC CVE-2026-58286). The high CVSS 8.1 is driven by a scope-changed impact (S:C) with high integrity effect, though the AC:H rating signals the attack is not trivially reliable. Currently there is no public exploit identified at time of analysis and no CISA KEV listing, so this is a proactively-patched issue rather than one under active exploitation.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-58285 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attacker run arbitrary code when a victim is lured to malicious web content. The CVSS 3.1 base score is 8.3 with a scope change, reflecting a likely renderer-to-sandbox impact, but exploitation requires user interaction and has high attack complexity. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available via Microsoft's MSRC update guide.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58284 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's security boundary and run arbitrary code when a victim is lured to malicious web content. Rooted in an improper authorization flaw (CWE-285) with a scope-changing CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), exploitation requires user interaction and high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58278 MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) versions before 150.0.4078.48 enables unauthenticated remote attackers to perform network spoofing by inducing the browser to issue forged requests on behalf of a victim. The attack requires user interaction - a victim must visit or interact with attacker-controlled content - after which the browser can be coerced into making unauthorized requests that manipulate resource integrity or availability. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a vendor-released patch is available.

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-58276 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) that an unauthorized network attacker can trigger to run arbitrary code in the browser process. Exploitation requires the victim to interact with attacker-controlled content (UI:R) and involves high attack complexity (AC:H), so a user must be lured to a malicious or compromised page. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a fix.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57991 HIGH PATCH This Week

Information disclosure in Microsoft Edge (Chromium-based) lets a remote attacker read sensitive data by abusing improper symbolic/link resolution (CWE-59) when a victim interacts with attacker-controlled content. Exploitation requires user interaction (UI:R) but no authentication (PR:N), and the scope-changed impact (S:C) indicates data is exposed beyond the browser's own security boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.4
EPSS
0.8%
CVE-2026-57986 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory-corruption bug (CWE-416) that an unauthorized attacker can trigger over the network to run arbitrary code in the browser's context. Exploitation requires the victim to interact with attacker-controlled web content and the CVSS vector flags high attack complexity, so successful attacks are not trivial. There is no public exploit identified at time of analysis and no CISA KEV listing, but a vendor patch is available from Microsoft.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57981 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) that lets an unauthenticated attacker run arbitrary code when a victim visits a malicious web page. All Edge Chromium versions prior to the vendor-patched build are affected, and the CVSS 3.1 base score is 8.8 (High). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires user interaction such as browsing to attacker-controlled content.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-57977 HIGH PATCH This Week

Spoofing in Microsoft Edge (Chromium-based) arises from a cross-site scripting (CWE-79) flaw that lets a network-based, unauthenticated attacker inject script into a generated web page, producing a convincing spoofed browser context after the victim interacts with malicious content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R, C:L/I:H) reflects a high-integrity spoofing impact gated only by user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-57974 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by luring a victim to a malicious web page that triggers an integer overflow (CWE-190). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R) indicates network-based exploitation requiring user interaction, with high confidentiality, integrity, and availability impact. Microsoft has released a fix; no public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Integer Overflow Buffer Overflow Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-45488 MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-58522 MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-58299 HIGH PATCH This Week

Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58287 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a victim views attacker-controlled web content, stemming from a use-after-free memory-corruption flaw (CWE-416). The scope-changed CVSS vector (S:C) indicates the bug can breach the browser's sandbox boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis (CVSS E:U) and it is not listed in CISA KEV.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58283 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-58282 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-56646 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 expose sensitive information to unauthorized network actors, enabling spoofing attacks against users who interact with attacker-controlled content. The vulnerability maps to CWE-200, indicating that browser-internal sensitive data (likely origin, URL, or session context) is improperly disclosed across a network boundary, allowing an attacker to impersonate trusted content or identities. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS score of 6.5 with a network attack vector and no privilege requirement underscores meaningful real-world risk for any unpatched Edge deployment.

Google Microsoft Information Disclosure Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-57993 HIGH PATCH This Week

Server-side request forgery in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker coax a victim's browser into issuing forged network requests, enabling spoofing and disclosure of sensitive data over the network. Exploitation requires user interaction (visiting or interacting with attacker-controlled content), and the CVSS scope-change flag indicates the browser can be pivoted to reach resources beyond its own security boundary. No public exploit identified at time of analysis (CVSS E:U), but a vendor fix is already available and the finding is vendor-confirmed (RC:C).

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.4
EPSS
0.6%
CVE-2026-57992 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run arbitrary code when a victim is lured into loading attacker-controlled web content that triggers a use-after-free memory corruption. The flaw carries a CVSS 3.1 base of 7.5 and requires user interaction, and the CVSS temporal metrics (E:U, RL:O, RC:C) indicate the issue is confirmed and officially patched with no public exploit identified at time of analysis. Because Edge shares Chromium's rendering engine, the underlying defect is likely rooted in an upstream Chromium/Blink component (the intel tags also reference Google).

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57988 HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-57987 MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-57985 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57984 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated attacker can trigger over the network when a victim loads attacker-controlled web content. Microsoft has released an official fix and rates the issue 7.5 (High), tempered by high attack complexity and required user interaction; the CVSS temporal data marks exploit maturity as Unproven (E:U), so there is no public exploit identified at time of analysis and no CISA KEV listing. The vendor tags ('Google', 'Use After Free', 'Denial Of Service') indicate this most likely tracks an upstream Chromium engine defect inherited by Edge.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57983 CRITICAL PATCH Act Now

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-57975 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56645 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.

Heap Overflow Microsoft Buffer Overflow Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-55945 MEDIUM PATCH This Month

Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. Microsoft has released a patch via the MSRC advisory.

Information Disclosure Microsoft Race Condition Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-50521 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.3
EPSS
0.8%
CVE-2026-33118 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) allows remote attackers to spoof visual elements through a low-complexity network-based attack requiring user interaction, potentially disclosing limited information to unauthenticated users. The vulnerability affects all versions of Microsoft Edge based on Chromium and carries a CVSS score of 4.3 with low confidentiality impact but no code execution or availability risk. A vendor-released patch is available.

Information Disclosure Google Microsoft Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 8.3
HIGH PATCH Exploit Likely This Week

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated network attacker run arbitrary code by luring a victim into interacting with crafted content that triggers unsafe deserialization (CWE-502). The flaw carries CVSS 8.3 with a scope change, meaning successful exploitation can break out of the browser's security boundary, though there is no public exploit identified at time of analysis and Microsoft has already shipped a fix.

Deserialization Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Security feature bypass in Microsoft Edge for Android exposes high-confidentiality data to unauthenticated network attackers who can induce user interaction. The vulnerability stems from improper access control (CWE-284) in the Chromium-based mobile browser, allowing an attacker to circumvent a security boundary and access protected information without credentials. No active exploitation is confirmed (CISA KEV absent, temporal metric E:U), and a vendor patch is available via MSRC, making this a patch-priority item rather than an emergency response.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows a remote unauthenticated attacker to present deceptive browser UI to a victim user, resulting in high-confidentiality-impact information disclosure. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms exploitation is network-delivered and requires only a single user interaction, consistent with a classic UI-spoofing or URL-spoofing class of flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor-released patch is available.

Microsoft Google Microsoft Edge Chromium Based +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled content. The flaw stems from improper input neutralization during web page generation (CWE-79), allowing injected scripts to execute within the browser's context and manipulate rendered content. No public exploit code or active exploitation has been identified at time of analysis, and Microsoft has released a patch addressing the issue.

XSS Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets a remote attacker trick a victim into rendering attacker-controlled script that spoofs UI or content over the network. Because the CVSS scope is changed (S:C) and user interaction is required (UI:R), a lured user visiting or interacting with a malicious page can be deceived into trusting forged content, undermining browser security-context integrity. Reported by Microsoft with a vendor patch available; EPSS is low (0.28%, 20th percentile) and no public exploit identified at time of analysis.

XSS Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android (Chromium-based) allows a network-based attacker to expose a victim's private personal information, but only after luring the user into interacting with attacker-controlled content (UI:R). The flaw carries a CVSS 7.1 rating driven by high confidentiality impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor patch is available via Microsoft's MSRC update guide.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Microsoft Edge for Android allows a remote unauthenticated attacker to exfiltrate private personal information over the network when a victim interacts with attacker-controlled content. The flaw carries a CVSS 7.1 with high confidentiality impact and stems from private data being exposed to an unauthorized actor (CWE-359); Microsoft has released a fix. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Security-feature bypass in Microsoft Edge (Chromium-based) stems from a type-confusion (CWE-843) flaw that a remote, unauthenticated attacker can trigger over the network to defeat a browser security boundary. Microsoft has published a fix via its Update Guide (CVE-2026-58295), and the issue carries a CVSS 8.3 with a scope change reflecting the crossed trust boundary. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthorized, remote attacker can trigger to run arbitrary code. Exploitation requires the victim to interact with attacker-controlled web content, and the CVSS 3.1 vector marks high attack complexity (AC:H) despite requiring no privileges (PR:N). Microsoft has released a fix; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets an unauthorized attacker run arbitrary code when a victim is lured to interact with attacker-controlled content, stemming from external control of a file name or path (CWE-73). The flaw is network-reachable but non-trivial to exploit, requiring user interaction and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patched build, and EPSS estimates a low 0.53% exploitation probability with SSVC reporting no observed exploitation.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run code on a victim's machine when the user is lured into interacting with attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and, per its CVSS scope-change metric, is consistent with a renderer/sandbox boundary escape. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type confusion flaw (CWE-843) that an unauthorized attacker can trigger over the network to run arbitrary code, provided the victim interacts with attacker-controlled web content. Microsoft self-reported and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high attack complexity (AC:H) and required user interaction (UI:R) temper an otherwise network-reachable, unauthenticated attack surface.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run arbitrary code when a victim is lured to a malicious web page, via a type-confusion flaw (CWE-843) in the browser engine. The CVSS:3.1 score is 8.3 with a scope change (S:C), indicating a likely sandbox/renderer boundary escape, though exploitation carries high attack complexity and requires user interaction. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, with EPSS at 0.53% (41st percentile).

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated, network-based attacker can trigger to run arbitrary code in the browser process. Exploitation requires the victim to interact — typically by visiting a malicious or compromised web page — and the CVSS 3.1 score of 8.3 reflects high attack complexity plus a scope change consistent with a renderer sandbox escape. There is no public exploit identified at time of analysis and no CISA KEV listing, though the underlying Chromium engine origin (tags reference Google) means a shared upstream root cause across Chromium browsers is likely.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker misrepresent trusted UI or content to a victim by abusing improper access control (CWE-284), per Microsoft's own advisory (MSRC CVE-2026-58286). The high CVSS 8.1 is driven by a scope-changed impact (S:C) with high integrity effect, though the AC:H rating signals the attack is not trivially reliable. Currently there is no public exploit identified at time of analysis and no CISA KEV listing, so this is a proactively-patched issue rather than one under active exploitation.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attacker run arbitrary code when a victim is lured to malicious web content. The CVSS 3.1 base score is 8.3 with a scope change, reflecting a likely renderer-to-sandbox impact, but exploitation requires user interaction and has high attack complexity. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available via Microsoft's MSRC update guide.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's security boundary and run arbitrary code when a victim is lured to malicious web content. Rooted in an improper authorization flaw (CWE-285) with a scope-changing CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), exploitation requires user interaction and high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) versions before 150.0.4078.48 enables unauthenticated remote attackers to perform network spoofing by inducing the browser to issue forged requests on behalf of a victim. The attack requires user interaction - a victim must visit or interact with attacker-controlled content - after which the browser can be coerced into making unauthorized requests that manipulate resource integrity or availability. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a vendor-released patch is available.

SSRF Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) that an unauthorized network attacker can trigger to run arbitrary code in the browser process. Exploitation requires the victim to interact with attacker-controlled content (UI:R) and involves high attack complexity (AC:H), so a user must be lured to a malicious or compromised page. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a fix.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Information disclosure in Microsoft Edge (Chromium-based) lets a remote attacker read sensitive data by abusing improper symbolic/link resolution (CWE-59) when a victim interacts with attacker-controlled content. Exploitation requires user interaction (UI:R) but no authentication (PR:N), and the scope-changed impact (S:C) indicates data is exposed beyond the browser's own security boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory-corruption bug (CWE-416) that an unauthorized attacker can trigger over the network to run arbitrary code in the browser's context. Exploitation requires the victim to interact with attacker-controlled web content and the CVSS vector flags high attack complexity, so successful attacks are not trivial. There is no public exploit identified at time of analysis and no CISA KEV listing, but a vendor patch is available from Microsoft.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) that lets an unauthenticated attacker run arbitrary code when a victim visits a malicious web page. All Edge Chromium versions prior to the vendor-patched build are affected, and the CVSS 3.1 base score is 8.8 (High). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires user interaction such as browsing to attacker-controlled content.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Spoofing in Microsoft Edge (Chromium-based) arises from a cross-site scripting (CWE-79) flaw that lets a network-based, unauthenticated attacker inject script into a generated web page, producing a convincing spoofed browser context after the victim interacts with malicious content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R, C:L/I:H) reflects a high-integrity spoofing impact gated only by user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a patch through the MSRC update guide.

XSS Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by luring a victim to a malicious web page that triggers an integer overflow (CWE-190). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R) indicates network-based exploitation requiring user interaction, with high confidentiality, integrity, and availability impact. Microsoft has released a fix; no public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Integer Overflow Buffer Overflow Microsoft +2
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a victim views attacker-controlled web content, stemming from a use-after-free memory-corruption flaw (CWE-416). The scope-changed CVSS vector (S:C) indicates the bug can breach the browser's sandbox boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis (CVSS E:U) and it is not listed in CISA KEV.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 expose sensitive information to unauthorized network actors, enabling spoofing attacks against users who interact with attacker-controlled content. The vulnerability maps to CWE-200, indicating that browser-internal sensitive data (likely origin, URL, or session context) is improperly disclosed across a network boundary, allowing an attacker to impersonate trusted content or identities. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS score of 6.5 with a network attack vector and no privilege requirement underscores meaningful real-world risk for any unpatched Edge deployment.

Google Microsoft Information Disclosure +1
NVD VulDB
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Server-side request forgery in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker coax a victim's browser into issuing forged network requests, enabling spoofing and disclosure of sensitive data over the network. Exploitation requires user interaction (visiting or interacting with attacker-controlled content), and the CVSS scope-change flag indicates the browser can be pivoted to reach resources beyond its own security boundary. No public exploit identified at time of analysis (CVSS E:U), but a vendor fix is already available and the finding is vendor-confirmed (RC:C).

SSRF Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run arbitrary code when a victim is lured into loading attacker-controlled web content that triggers a use-after-free memory corruption. The flaw carries a CVSS 3.1 base of 7.5 and requires user interaction, and the CVSS temporal metrics (E:U, RL:O, RC:C) indicate the issue is confirmed and officially patched with no public exploit identified at time of analysis. Because Edge shares Chromium's rendering engine, the underlying defect is likely rooted in an upstream Chromium/Blink component (the intel tags also reference Google).

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated attacker can trigger over the network when a victim loads attacker-controlled web content. Microsoft has released an official fix and rates the issue 7.5 (High), tempered by high attack complexity and required user interaction; the CVSS temporal data marks exploit maturity as Unproven (E:U), so there is no public exploit identified at time of analysis and no CISA KEV listing. The vendor tags ('Google', 'Use After Free', 'Denial Of Service') indicate this most likely tracks an upstream Chromium engine defect inherited by Edge.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.

Heap Overflow Microsoft Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. Microsoft has released a patch via the MSRC advisory.

Information Disclosure Microsoft Race Condition +2
NVD VulDB
EPSS 1% CVSS 8.3
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) allows remote attackers to spoof visual elements through a low-complexity network-based attack requiring user interaction, potentially disclosing limited information to unauthenticated users. The vulnerability affects all versions of Microsoft Edge based on Chromium and carries a CVSS score of 4.3 with low confidentiality impact but no code execution or availability risk. A vendor-released patch is available.

Information Disclosure Google Microsoft +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy