Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0570
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Microsoft Edge. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Microsoft Edge versions ant\u00e9rieures \u00e0 148.0.3967.55",
"product": {
"name": "Edge",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Edge pour Android versions ant\u00e9rieures \u00e0 148.0.3967.55",
"product": {
"name": "Edge",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-7915",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7915"
},
{
"name": "CVE-2026-7905",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7905"
},
{
"name": "CVE-2026-7931",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7931"
},
{
"name": "CVE-2026-42838",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42838"
},
{
"name": "CVE-2026-7912",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7912"
},
{
"name": "CVE-2026-7913",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7913"
},
{
"name": "CVE-2026-42891",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42891"
},
{
"name": "CVE-2026-35429",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35429"
},
{
"name": "CVE-2026-8020",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8020"
},
{
"name": "CVE-2026-7897",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7897"
},
{
"name": "CVE-2026-7993",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7993"
},
{
"name": "CVE-2026-7941",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7941"
},
{
"name": "CVE-2026-41107",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41107"
}
],
"initial_release_date": "2026-05-12T00:00:00",
"last_revision_date": "2026-05-12T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0570",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Edge. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Edge",
"vendor_advisories": [
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7905",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7905"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-35429",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35429"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7941",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7941"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7993",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7993"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-42891",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42891"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-8020",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8020"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7931",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7931"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-41107",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41107"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7897",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7897"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7913",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7913"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7915",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7915"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-42838",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42838"
},
{
"published_at": "2026-05-11",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Edge CVE-2026-7912",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7912"
}
]
}
CVE-2026-7912 (GCVE-0-2026-7912)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-06 22:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-472 - Integer overflow
Summary
Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7912",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T20:36:18.375050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T22:02:46.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "Integer overflow",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:30.669Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/497639714"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7912",
"datePublished": "2026-05-06T18:12:30.669Z",
"dateReserved": "2026-05-05T22:59:07.483Z",
"dateUpdated": "2026-05-06T22:02:46.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7897 (GCVE-0-2026-7897)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-07 03:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use after free
Summary
Use after free in Mobile in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:56:32.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free in Mobile in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use after free",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:24.777Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/504069514"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7897",
"datePublished": "2026-05-06T18:12:24.777Z",
"dateReserved": "2026-05-05T22:59:03.403Z",
"dateUpdated": "2026-05-07T03:56:32.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42838 (GCVE-0-2026-42838)
Vulnerability from cvelistv5
Published
2026-05-12 16:59
Modified
2026-06-09 19:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Microsoft Edge (Chromium-based) |
Version: 1.0.0.0 < 148.0.3967.55 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:11:08.909242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:23:53.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Edge (Chromium-based)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "148.0.3967.55",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*",
"versionEndExcluding": "148.0.3967.55",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-11T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Improper neutralization of special elements in output used by a downstream component (\u0027injection\u0027) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:33:44.465Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42838"
}
],
"title": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-42838",
"datePublished": "2026-05-12T16:59:36.804Z",
"dateReserved": "2026-04-30T14:51:12.704Z",
"dateUpdated": "2026-06-09T19:33:44.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42891 (GCVE-0-2026-42891)
Vulnerability from cvelistv5
Published
2026-05-12 16:59
Modified
2026-06-09 19:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Summary
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Microsoft Edge for Android |
Version: 1.0.0 < 148.0.3967.55 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:13:31.308488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:26:11.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Edge for Android",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "148.0.3967.55",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*",
"versionEndExcluding": "148.0.3967.55",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-11T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:33:11.217Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42891"
}
],
"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-42891",
"datePublished": "2026-05-12T16:59:04.452Z",
"dateReserved": "2026-04-30T22:35:54.966Z",
"dateUpdated": "2026-06-09T19:33:11.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7913 (GCVE-0-2026-7913)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-07 03:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Insufficient policy enforcement
Summary
Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:56:42.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient policy enforcement",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:31.073Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/497936728"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7913",
"datePublished": "2026-05-06T18:12:31.073Z",
"dateReserved": "2026-05-05T22:59:07.726Z",
"dateUpdated": "2026-05-07T03:56:42.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7941 (GCVE-0-2026-7941)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-06 21:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Insufficient validation of untrusted input
Summary
Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T20:51:45.003668Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T21:58:04.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Insufficient validation of untrusted input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:45.168Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/493955234"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7941",
"datePublished": "2026-05-06T18:12:45.168Z",
"dateReserved": "2026-05-05T22:59:15.567Z",
"dateUpdated": "2026-05-06T21:58:04.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8020 (GCVE-0-2026-8020)
Vulnerability from cvelistv5
Published
2026-05-06 18:13
Modified
2026-05-06 21:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-457 - Uninitialized Use
Summary
Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T20:53:31.314634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T21:45:35.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "Uninitialized Use",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:13:15.671Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/498382925"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-8020",
"datePublished": "2026-05-06T18:13:15.671Z",
"dateReserved": "2026-05-05T22:59:36.871Z",
"dateUpdated": "2026-05-06T21:45:35.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41107 (GCVE-0-2026-41107)
Vulnerability from cvelistv5
Published
2026-05-12 16:59
Modified
2026-06-09 19:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Microsoft Edge (Chromium-based) |
Version: 1.0.0.0 < 148.0.3967.55 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:13:41.039769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:26:28.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Edge (Chromium-based)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "148.0.3967.55",
"status": "affected",
"version": "1.0.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*",
"versionEndExcluding": "148.0.3967.55",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-11T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:33:10.024Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Edge (Chromium-based) Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41107"
}
],
"title": "Microsoft Edge (Chromium-based) Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-41107",
"datePublished": "2026-05-12T16:59:02.359Z",
"dateReserved": "2026-04-16T19:12:36.196Z",
"dateUpdated": "2026-06-09T19:33:10.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7931 (GCVE-0-2026-7931)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-06 21:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Insufficient validation of untrusted input
Summary
Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T20:48:28.822556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T21:59:39.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Insufficient validation of untrusted input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:37.957Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/474338157"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7931",
"datePublished": "2026-05-06T18:12:37.957Z",
"dateReserved": "2026-05-05T22:59:12.878Z",
"dateUpdated": "2026-05-06T21:59:39.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7905 (GCVE-0-2026-7905)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-07 03:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Insufficient validation of untrusted input
Summary
Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T03:56:38.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Insufficient validation of untrusted input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:28.128Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/495259842"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7905",
"datePublished": "2026-05-06T18:12:28.128Z",
"dateReserved": "2026-05-05T22:59:05.605Z",
"dateUpdated": "2026-05-07T03:56:38.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7993 (GCVE-0-2026-7993)
Vulnerability from cvelistv5
Published
2026-05-06 18:13
Modified
2026-05-06 21:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Insufficient validation of untrusted input
Summary
Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T21:32:26.401218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T21:49:58.710Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Insufficient validation of untrusted input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:13:05.353Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/499099003"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7993",
"datePublished": "2026-05-06T18:13:05.353Z",
"dateReserved": "2026-05-05T22:59:29.905Z",
"dateUpdated": "2026-05-06T21:49:58.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7915 (GCVE-0-2026-7915)
Vulnerability from cvelistv5
Published
2026-05-06 18:12
Modified
2026-05-10 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Insufficient data validation
Summary
Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7915",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T21:42:34.203944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:22:36.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "148.0.7778.96",
"status": "affected",
"version": "148.0.7778.96",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient data validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T18:12:31.980Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/498454478"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-7915",
"datePublished": "2026-05-06T18:12:31.980Z",
"dateReserved": "2026-05-05T22:59:08.228Z",
"dateUpdated": "2026-05-10T13:22:36.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35429 (GCVE-0-2026-35429)
Vulnerability from cvelistv5
Published
2026-05-12 16:59
Modified
2026-06-09 19:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Summary
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microsoft | Microsoft Edge for Android |
Version: 1.0.0 < 148.0.3967.55 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:13:20.190406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:25:56.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Edge for Android",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "148.0.3967.55",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*",
"versionEndExcluding": "148.0.3967.55",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-11T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:33:11.807Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35429"
}
],
"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-35429",
"datePublished": "2026-05-12T16:59:04.999Z",
"dateReserved": "2026-04-02T19:21:11.804Z",
"dateUpdated": "2026-06-09T19:33:11.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…