Description
Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-05-12
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of special elements in output used by a downstream component (injection) in Microsoft Edge (Chromium-based). An attacker who is not authorized and can send crafted content over a network can use the flaw to elevate privileges beyond their normal rights.

Affected Systems

Microsoft Edge (Chromium-based). No specific version information is disclosed in the data, so all releases of the Chromium-based Edge are potentially affected.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is not explicitly defined in the description, but based on the nature of the flaw, it is likely that an attacker sends or injects malicious content over a network that the Edge browser renders, enabling privilege escalation. The lack of an available EPSS score and KEV status suggests that this flaw is not yet widely exploited in the wild, but the moderate CVSS score means it can still be a risk for targeted attacks.

Generated by OpenCVE AI on May 12, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Edge update that includes the fix for CVE-2026-42838.
  • If a timely update cannot be applied, restrict access to potentially malicious content by controlling the websites or network routes that Edge uses to prevent injection of special elements.
  • Monitor network traffic and browser logs for abnormal injection patterns or privilege escalation attempts, and investigate any anomalous behavior.

Generated by OpenCVE AI on May 12, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:-:*:*:*

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft edge Chromium
Weaknesses CWE-74
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft edge Chromium
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Edge Chromium
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T18:09:15.039Z

Reserved: 2026-04-30T14:51:12.704Z

Link: CVE-2026-42838

cve-icon Vulnrichment

Updated: 2026-05-13T10:19:20.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:26.077

Modified: 2026-05-14T14:26:37.290

Link: CVE-2026-42838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses