Microsoft Edge (Chromium-based) for Android is affected by a spoofing vulnerability that allows a malicious site to masquerade as a trusted resource. The assignment of CWE‑290 (Improper Authentication) and CWE‑451 (Blind Race Condition) suggests the flaw involves an authentication weakness potentially combined with a concurrency issue, which could be used to spoof the identity of a legitimate site or resource. Based on this, an attacker might be able to trick a user into interacting with a site that appears to be authentic, undermining the integrity of the browsing session. The vulnerability does not expose arbitrary code execution, denial of service, or other more severe impacts beyond spoofing.

The affected product is Microsoft Edge for Android, distributed by Microsoft. No specific version is identified in the advisory; therefore, all current releases of the Android application should be considered potentially vulnerable until an official patch is released.

The CVSS score of 5 indicates a moderate risk level, while the EPSS score of less than 1 % reflects a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that exploitation would likely require user interaction—such as visiting or clicking a crafted link—that triggers the spoofing behavior during page rendering. Given the limited public details, concrete assumptions about the attack path remain speculative, but the moderate score and low EPSS suggest a low probability of widespread exploitation.