Description
Under specific conditions, a malicious webpage may trigger autofill population after two consecutive taps, potentially without clear or intentional user consent. This could result in disclosure of stored autofill data such as addresses, email, or phone number metadata.
Published: 2026-02-17
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure via autofill leakage
Action: Patch
AI Analysis

Impact

Under certain conditions a malicious web page can trigger the autofill mechanism after the user taps twice on the page, potentially without clear or intentional user consent. When activated, stored autofill data—including addresses, email addresses, and phone number metadata—can be disclosed inadvertently. This vulnerability falls under CWE‑359, Sensitive Data Exposure, and allows an attacker to obtain personal data that the user has stored locally in the browser.

Affected Systems

Microsoft Edge (Chromium-based) is the affected vendor and product. No specific version range is listed, so all installations of this browser may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity, and the EPSS score is less than 1 %, suggesting a very low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to open a malicious or compromised web page and interact with it by tapping the page twice. The attack vector is therefore a web-based user interaction; no remote code execution or privilege escalation beyond data disclosure is possible according to the current description.

Generated by OpenCVE AI on April 15, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft Edge to the latest available version to apply the vendor’s security fix for the autofill issue.
  • As a temporary mitigation, disable or restrict the browser’s autofill feature in the settings to prevent unintended exposure of stored data.
  • Continuously monitor Microsoft security updates and apply subsequent patches; audit browser configuration to ensure sensitive autofill data is managed according to organizational privacy policy.

Generated by OpenCVE AI on April 15, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Under specific conditions, a malicious webpage may trigger autofill population after two consecutive taps, potentially without clear or intentional user consent. This could result in disclosure of stored autofill data such as addresses, email, or phone number metadata.
Title Microsoft Edge (Chromium-based) Defense in Depth Vulnerability
First Time appeared Microsoft
Microsoft edge Chromium
Weaknesses CWE-359
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft edge Chromium
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Edge Chromium
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:16.790Z

Reserved: 2025-10-17T23:35:05.037Z

Link: CVE-2026-0102

cve-icon Vulnrichment

Updated: 2026-03-06T18:56:48.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-17T20:22:05.500

Modified: 2026-02-19T15:39:08.397

Link: CVE-2026-0102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses