Description
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, allowing a cross‑site scripting (XSS) vector. The impact is that an attacker who can authenticate to the Azure Stack Edge portal can inject malicious content and use it to spoof network identities or masquerade as another trusted entity. This can lead to unauthorized actions or misrepresentation within the network managed by the device.

Affected Systems

Microsoft Azure Stack Edge devices are affected. No specific firmware or software versions are listed in the CNA data, indicating that all current releases may contain the flaw until a patch is released by Microsoft.

Risk and Exploitability

The CVSS score of 8.4 reflects a high severity, and although no EPSS score is reported, the lack of a KEV listing suggests moderate exploitation likelihood. The attack requires an authorized user, so privileged accounts are the primary risk. Once the browser is tricked, the attacker can perform spoofing over the network, potentially compromising other devices or services that rely on Azure Stack Edge for connectivity.

Generated by OpenCVE AI on June 9, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Azure Stack Edge firmware update provided by Microsoft as soon as it is available.
  • Restrict management interface access to a dedicated secure subnet and enforce role‑based access control so that only trusted administrators can log in.
  • Ensure that web page generation on Azure Stack Edge performs proper input validation and output encoding to eliminate XSS vectors; if the device firmware includes such a feature, enable it.

Generated by OpenCVE AI on June 9, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network.
Title Azure Stack Edge Spoofing Vulnerability
First Time appeared Microsoft
Microsoft azure Stack Edge
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:azure_stack_edge:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Stack Edge
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Stack Edge
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:21:36.755Z

Reserved: 2026-04-16T19:12:36.195Z

Link: CVE-2026-41098

cve-icon Vulnrichment

Updated: 2026-06-09T19:21:29.599Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:06.793

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-41098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:45:06Z

Weaknesses