Vulnerability intelligence
CVE-2026-21513
Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability
Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
CVSS Score
8.8
High
EPSS — Exploit Probability
15%
Riskier than 96% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2026-03-03
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-03-03.
5 articles across 4 outlets · first covered Apr 8, 2026 · latest May 7, 2026
Tracked incidents
Associated threat actors
Coverage timeline
-
Office and Windows flaws boost exploit kits in Q1 2026securelist.com · May 7, 2026
-
Microsoft Warns of Active Exploit in CVE-2026-32202 Spoof Flawthehackernews.com · Apr 28, 2026
-
APT28 exploits Windows SmartScreen gap for zero click LNK attackswww.securityweek.com · Apr 27, 2026
-
Russia-linked APT28 uses PRISMEX to infiltrate Ukraine and allied infrastructure with advanced tacticssecurityaffairs.com · Apr 8, 2026
-
APT28 Deploys New PRISMEX Malware Against Ukraine and NATO Alliesthehackernews.com · Apr 8, 2026