MSHTML Framework security feature bypass vulnerability requiring user interaction. While CVSS shows network attack vector, MSHTML is a client-side HTML rendering engine used in browsers and applications, not an internet-facing server service.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: USER_INTERACTION
CVE Published: 2026-02-10
Added to CISA KEV: 2026-02-10 0 DAY BETWEEN CVE AND KEV
CVE-2026-21513 Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
What Microsoft’s advisory actually tells us The vendor entry for CVE‑2026‑21513 in the Microsoft Security Update Guide confirms three short, authoritative facts: the affected product surface is MSHTML, the classification is Security Feature Bypass, and Microsoft attaches its standard report‑confidence indicator to the advisory.
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.How to use the KEV ...
As no details have been released, it is unclear if CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were exploited in the same campaign. ... Of ...
These include: CVE-2026-21514: Security feature bypass in Microsoft Office Word. CVE-2026-21513: Security feature bypass in MSHTML Framework.