Microsoft Edge up to 146.0.3856.84 on Android clickjacking

Summaryinfo

A vulnerability has been found in Microsoft Edge on Android and classified as problematic. This affects an unknown function. This manipulation causes clickjacking. This vulnerability is tracked as CVE-2026-33119. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Microsoft Edge on Android. It has been declared as problematic. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a clickjacking vulnerability. The CWE definition for the vulnerability is CWE-451. The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. As an impact it is known to affect integrity. The summary by CVE is:

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

It is possible to read the advisory at msrc.microsoft.com. This vulnerability is known as CVE-2026-33119 since 03/17/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 04/12/2026). The attack technique deployed by this issue is T1566.003 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 305979 (Microsoft Edge (Chromium) < 147.0.3912.60 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 147.0.3912.60 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (305979) and EUVD (EUVD-2026-21603). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Web Browser

Vendor

• Microsoft

Name

• Edge

Version

• 11.0.10240.16384
• 38.14393.0.0
• 38.14393.1066.0
• 98.0.1108.43
• 99.0.1150.30
• 102.0.1245.39
• 102.0.1245.41
• 103.0.1264.37
• 103.0.1264.44
• 104.0.1293.47
• 118.0.2088.88
• 118.0.2088.102
• 119.0.2151.44
• 119.0.2151.58
• 119.0.2151.72
• 120.0.2210.61
• 120.0.2210.77
• 120.0.2210.133
• 120.0.2210.160
• 121.0.2277.83
• 121.0.2277.98
• 122.0.2365.52
• 122.0.2365.63
• 122.0.2365.80
• 122.0.2365.92
• 122.0.2365.120
• 123.0.2420.53
• 123.0.2420.81
• 124.0.2478.51
• 124.0.2478.97
• 124.0.2478.109
• 126.0.2592.56
• 126.0.2592.68
• 126.0.2592.81
• 126.0.2592.102
• 127.0.2651.74
• 127.0.2651.98
• 127.0.2651.105
• 128.0.2739.42
• 129.0.2792.52
• 130.0.2849.46
• 131.0.2903.48
• 131.0.2903.63
• 131.0.2903.86
• 132.0.2957.115
• 132.0.2957.118
• 133.0.3065.51
• 133.0.3065.69
• 134.0.3124.51
• 134.0.3124.66
• 134.0.3124.93
• 135.0.3179.54
• 135.0.3179.98
• 136.0.3240.50
• 138.0.3351.65
• 140.0.3485.54
• 140.0.3485.71
• 140.0.3485.81
• 142.0.3595.53
• 143.0.3650.66
• 143.0.3650.88
• 143.0.3650.97
• 144.0.3719.82
• 145.0.3800.58
• 146.0.3856.59
• 146.0.3856.84

License

• commercial

Website

• Vendor: https://www.microsoft.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion