Description
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-12
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

External control of file name or path in Microsoft Edge (Chromium‑based) enables an attacker to read sensitive files or directories, exposing confidential data over the network. The flaw originates from insufficient validation of file references, classified as CWE‑73 and CWE‑610. Successful exploitation could lead to non‑authorization obtaining of system or user data with potential confidentiality impact.

Affected Systems

Microsoft Edge (Chromium‑based) on all affected Windows installations. No specific version range is listed, so all releases prior to the fix are potentially vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating a high severity. The EPSS score of < 1% suggests a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so there is no confirmed exploitation evidence. The attack vector is likely remote, achievable by prompting the user to visit a malicious web page or load a crafted payload that manipulates the file path parameter. Given the moderate to high severity, the risk to organizations remains significant if the browser remains unpatched.

Generated by OpenCVE AI on May 15, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft Edge to the latest version from Microsoft that includes the security fix.
  • Where possible, configure Edge or the operating system to restrict or block navigation to local file paths, especially when accessing untrusted web content.
  • Stay informed of new updates from Microsoft and apply them promptly; consider enabling automatic updates or regularly checking Microsoft’s security update guide.

Generated by OpenCVE AI on May 15, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-610
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:-:*:*:*

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
Title Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft edge Chromium
Weaknesses CWE-73
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft edge Chromium
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Edge Chromium
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:16:53.035Z

Reserved: 2026-04-16T19:12:36.196Z

Link: CVE-2026-41107

cve-icon Vulnrichment

Updated: 2026-05-13T10:20:03.875Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:22.077

Modified: 2026-05-15T15:28:52.390

Link: CVE-2026-41107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T16:30:03Z

Weaknesses