{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0391", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-19T12:01:28.640Z", "datePublished": "2026-02-05T22:13:26.387Z", "dateUpdated": "2026-05-11T21:25:25.714Z"}, "containers": {"cna": {"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "datePublic": "2026-02-05T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0.0", "versionEndExcluding": "143.0.3650.66"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Edge (Chromium-based)", "versions": [{"version": "1.0.0.0", "lessThan": "143.0.3650.66", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "lang": "en-US", "type": "CWE", "cweId": "CWE-451"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:25.714Z"}, "references": [{"name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0391"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T19:29:48.734571Z", "id": "CVE-2026-0391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T19:30:08.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T19:29:48.734571Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T19:30:00.634Z"}}], "cna": {"title": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Edge (Chromium-based)", "versions": [{"status": "affected", "version": "1.0.0.0", "lessThan": "143.0.3650.66", "versionType": "custom"}]}], "datePublic": "2026-02-05T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0391", "name": "Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "143.0.3650.66", "versionStartIncluding": "1.0.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:25.714Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0391", "state": "PUBLISHED", "dateUpdated": "2026-05-11T21:25:25.714Z", "dateReserved": "2025-11-19T12:01:28.640Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-05T22:13:26.387Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:android:*:*", "matchCriteriaId": "FEBAB3A4-6F70-4D49-934F-4B643B3515C6", "versionEndExcluding": "143.0.3650.66", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network."}, {"lang": "es", "value": "Representaci\u00f3n err\u00f3nea de la interfaz de usuario (UI) de informaci\u00f3n cr\u00edtica en Microsoft Edge para Android permite a un atacante no autorizado realizar suplantaci\u00f3n de identidad a trav\u00e9s de una red."}], "id": "CVE-2026-0391", "lastModified": "2026-02-18T17:44:14.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-05T23:15:54.093", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0391"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "secure@microsoft.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T16:38:10.805199+00:00", "value": {"mitigation_remediation": ["Update Microsoft Edge to the latest Android release from Microsoft or the Google Play Store, which contains the fix for UI spoofing.", "If a recent update is not yet available, uninstall the current Edge application or disable it until a patched version is released.", "Maintain general security hygiene by keeping Android OS and all apps updated, avoiding suspicious links, and using trusted browsing sources to reduce exposure to malicious content."], "summary": {"action": "Immediate Patch", "impact": "Spoofing via UI misrepresentation"}, "threat_synthesis": {"affected_systems": "Microsoft Edge (Chromium-based) for Android is affected. No specific version numbers are supplied in the available data, so all current releases of the Android edition of Edge that match the specified vendor/product identifiers are potentially susceptible.", "description_and_impact": "The vulnerability enables an attacker to manipulate how critical information is displayed in the user interface of Microsoft Edge for Android, allowing the attacker to present false or misleading content to the user. This can lead to the user trusting spoofed pages or data, potentially facilitating phishing, credential theft, or other social\u2011engineering attacks. The weakness is categorized as CWE\u2011451, information exposure through UI misrepresentation.", "risk_and_exploitability": "The CVSS score is 6.5, indicating a medium severity flaw. The EPSS score is below 1%, implying that exploitation cases are expected to be very rare at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote over a network, with an attacker delivering a malicious or deceptively altered website that the user can visit in the affected browser. No additional conditions or local privilege requirements are specified, so any user of the vulnerable app can be deceived."}}}}, "created": "2026-04-15T18:00:15.516373+00:00", "updated": "2026-04-15T18:00:15.516386+00:00", "vendors": []}