1. Home
  2. Vulnerabilities
  3. CVE-2026-21513
Known Exploited Vulnerability
8.8
HIGH CVSS 3.1
CVE-2026-21513
Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability - [Actively Exploited]
Overview
Description

Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

Details
INFO

Published Date :

Feb. 10, 2026, 6:16 p.m.

Last Modified :

Feb. 11, 2026, 3:38 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21513

Impact
Affected Products

The following products are affected by CVE-2026-21513 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft windows_server_2012
2 Microsoft windows_server_2016
3 Microsoft windows_server_2019
4 Microsoft windows_10_1607
5 Microsoft windows_10_1809
6 Microsoft windows_10_21h2
7 Microsoft windows_10_22h2
8 Microsoft windows_server_2022
9 Microsoft windows_11_23h2
10 Microsoft windows_server_2022_23h2
11 Microsoft windows_server_23h2
12 Microsoft windows_server_2012_r2
13 Microsoft windows_11_24h2
14 Microsoft windows_server_2025
15 Microsoft windows_11_25h2
16 Microsoft windows_11_26h1
: Total Affected Vendor : 1 | Products : 16
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
Solution
Apply security updates to address MSHTML Framework protection mechanism failures and prevent unauthorized access.
  • Install MSHTML Framework security updates.
  • Review and enforce access controls.
  • Monitor network for suspicious activity.
Public PoC/Exploit Available at Github

CVE-2026-21513 has a 5 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-21513.

URL Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21513 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-21513 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-21513 weaknesses.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs Accessing Functionality Not Properly Constrained by ACLs CAPEC-17: Using Malicious Files Using Malicious Files CAPEC-20: Encryption Brute Forcing Encryption Brute Forcing CAPEC-22: Exploiting Trust in Client Exploiting Trust in Client CAPEC-36: Using Unpublished Interfaces or Functionality Using Unpublished Interfaces or Functionality CAPEC-51: Poison Web Service Registry Poison Web Service Registry CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data Utilizing REST's Trust in the System Resource to Obtain Sensitive Data CAPEC-59: Session Credential Falsification through Prediction Session Credential Falsification through Prediction CAPEC-65: Sniff Application Code Sniff Application Code CAPEC-74: Manipulating State Manipulating State CAPEC-87: Forceful Browsing Forceful Browsing CAPEC-107: Cross Site Tracing Cross Site Tracing CAPEC-127: Directory Indexing Directory Indexing CAPEC-237: Escaping a Sandbox by Calling Code in Another Language Escaping a Sandbox by Calling Code in Another Language CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content Signature Spoofing by Mixing Signed and Unsigned Content CAPEC-480: Escaping Virtualization Escaping Virtualization CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB) Key Negotiation of Bluetooth Attack (KNOB)

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
aifinalwarning/microsoft_benevolent_offramps

Open architecture for building AI platforms where benevolence is structural, not a policy statement. Fuses layered offramps (code → infra → network → financial → governance), safe interruptibility research, IAPS taxonomy, consent-first design, and a healing layer — grounded in real CVEs from Microsoft's 2025–26 ecosystem. Apache 2.0.

ai-alignment ai-governance ai-safety benevolent-ai consent-management kill-switch llm-security multi-agent-systems offramp post-quantum-cryptography prompt-injection red-teaming regenerative-design responsible-ai zero-trust safe-interruptibility

HTML

Updated: 2 weeks, 1 day ago
1 stars 0 fork 0 watcher
Born at : March 8, 2026, 5:44 p.m. This repo has been linked 4 different CVEs too.
Profile Photo
ayiz09/ayiz09.github.io

None

Updated: 2 weeks, 6 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 26, 2026, 6:34 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
kapetanios55/SentinelCBContent

None

Shell Python

Updated: 3 weeks, 6 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 20, 2026, 10:40 p.m. This repo has been linked 23 different CVEs too.
Profile Photo
greenido/CISA-alerts-bot

A stateless GitHub Action that monitors Cybersecurity Alerts and sends structured alerts to Slack / Telegram

TypeScript

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : Feb. 13, 2026, 4:10 a.m. This repo has been linked 6 different CVEs too.
Profile Photo
ekomsSavior/Cerberus

Cerberus-CVE Assessment Situation

Python

Updated: 1 month, 1 week ago
13 stars 5 fork 5 watcher
Born at : Nov. 3, 2025, 7:46 p.m. This repo has been linked 6 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-21513 vulnerability anywhere in the article.

  • The Hacker News
Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access

Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software ... Read more

Published Date: Mar 18, 2026 (1 week ago)
  • The Hacker News
9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors

Cybersecurity researchers have warned about the risks posed by low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, which can grant attackers extensive control over compromised hos ... Read more

Published Date: Mar 18, 2026 (1 week ago)
  • The Hacker News
Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root via systemd Cleanup Timing Exploit

A high-severity security flaw affecting default installations of Ubuntu Desktop versions 24.04 and later could be exploited to escalate privileges to the root level. Tracked as CVE-2026-3888 (CVSS sco ... Read more

Published Date: Mar 18, 2026 (1 week ago)
  • The Hacker News
Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CV ... Read more

Published Date: Mar 18, 2026 (1 week ago)
  • The Hacker News
Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23

Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary ... Read more

Published Date: Mar 18, 2026 (1 week ago)
  • The Hacker News
AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Cybersecurity researchers have disclosed details of a new method for exfiltrating sensitive data from artificial intelligence (AI) code execution environments using domain name system (DNS) queries. I ... Read more

Published Date: Mar 17, 2026 (1 week, 1 day ago)
  • The Hacker News
CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities (KEV) catalog, citing evidenc ... Read more

Published Date: Mar 17, 2026 (1 week, 1 day ago)
  • The Hacker News
Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8

Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The list of vulnerabilities is as fol ... Read more

Published Date: Mar 13, 2026 (1 week, 5 days ago)
  • The Hacker News
Veeam Patches 7 Critical Backup & Replication Flaws Allowing Remote Code Execution

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software that, if successfully exploited, could result in remote code execution. The vulner ... Read more

Published Date: Mar 13, 2026 (1 week, 5 days ago)
  • The Hacker News
Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit

Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit. The vulnerability, tracked a ... Read more

Published Date: Mar 12, 2026 (1 week, 6 days ago)
  • The Hacker News
CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of ac ... Read more

Published Date: Mar 12, 2026 (1 week, 6 days ago)
  • The Hacker News
Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials

Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution ... Read more

Published Date: Mar 11, 2026 (2 weeks ago)
  • The Hacker News
Dozens of Vendors Patch Security Flaws Across Enterprise Software and Network Devices

SAP has released security updates to address two critical security flaws that could be exploited to achieve arbitrary code execution on affected systems. The vulnerabilities in question listed below - ... Read more

Published Date: Mar 11, 2026 (2 weeks ago)
  • The Hacker News
Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days

Microsoft on Tuesday released patches for a set of 84 new security vulnerabilities affecting various software components, including two that have been listed as publicly known. Of these, eight are rat ... Read more

Published Date: Mar 11, 2026 (2 weeks ago)
  • The Hacker News
Five Malicious Rust Crates and AI Bot Exploit CI/CD Pipelines to Steal Developer Secrets

Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors. The Rust packages, published to crates.i ... Read more

Published Date: Mar 11, 2026 (2 weeks ago)
  • The Hacker News
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The ac ... Read more

Published Date: Mar 10, 2026 (2 weeks, 1 day ago)
  • The Hacker News
The Zero-Day Scramble is Avoidable: A Guide to Attack Surface Reduction

You can't control when the next critical vulnerability drops. You can control how much of your environment is exposed when it does. The problem is that most teams have more internet-facing exposure th ... Read more

Published Date: Mar 10, 2026 (2 weeks, 1 day ago)
  • The Hacker News
CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Th ... Read more

Published Date: Mar 10, 2026 (2 weeks, 1 day ago)
  • The Hacker News
APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. "The ... Read more

Published Date: Mar 05, 2026 (2 weeks, 6 days ago)
  • CybersecurityNews
MSHTML Framework 0-Day Exploited by APT28 Hackers Before Feb 2026’s Patch Tuesday Update

MSHTML Framework 0-Day Exploited by APT28 A zero-day vulnerability in the Microsoft HTML (MSHTML) framework was actively exploited in the wild. The vulnerability, tracked as CVE-2026-21513, allows att ... Read more

Published Date: Mar 02, 2026 (3 weeks, 2 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-21513 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Feb. 11, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.14393.8868 *cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* versions up to (excluding) 10.0.14393.8868 *cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.17763.8389 *cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:* versions up to (excluding) 10.0.26100.7781 *cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.26100.7781 *cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:* versions up to (excluding) 10.0.22631.6649 *cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.22631.6649 *cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:* versions up to (excluding) 10.0.26200.7781 *cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.26200.7781 *cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:* versions up to (excluding) 10.0.19045.6937 *cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.19045.6937 *cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:* versions up to (excluding) 10.0.19045.6937 *cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:* versions up to (excluding) 10.0.19044.6937 *cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.19044.6937 *cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:* versions up to (excluding) 10.0.19044.6937 *cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* versions up to (excluding) 10.0.17763.8389 *cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:-:*:x64:* versions up to (excluding) 10.0.14393.8868 *cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:-:*:x64:* versions up to (excluding) 10.0.17763.8389 *cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:-:*:x64:* versions up to (excluding) 10.0.20348.4711 *cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:-:*:x64:* versions up to (excluding) 10.0.25398.2149 *cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:x64:* versions up to (excluding) 10.0.26100.32313
    Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513 Types: Vendor Advisory
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21513 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 10, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21513
  • New CVE Received by [email protected]

    Feb. 10, 2026

    Action Type Old Value New Value
    Added Description Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Added CWE CWE-693
    Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 8.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact