CVE-2026-5914 in Microsoft Product: High CVSS Score with Low Exploitation Probability

📅 April 11, 2026 🔴 Exploit Risk: 0.352 📊 Intelligence Score: 75/100 📰 35 sources synthesized

TL;DR — Read this first

Microsoft has disclosed CVE-2026-5914, a high-severity vulnerability with a CVSS score of 8.8.
There is no evidence of active exploitation (Not in CISA KEV) and the statistical probability of exploitation in the next 30 days is very low (EPSS 0.017%).
Immediate action is not required based on current threat intelligence. Plan to patch according to standard vulnerability management timelines.

Intelligence Metadata

First Reported Bymsrc.microsoft.com

Outbreak Velocity0 minutes spread to 1 domains

Consensus1 source (msrc.microsoft.com)

CVSS Score8.8

EPSS Score0.00017 (1.7th percentile)

CISA KEV StatusNot Listed

Exploit Risk Score0.3521

Race LabelVENDOR DISCLOSURE

Technical Analysis

Specific technical details for CVE-2026-5914 were not available in the provided intelligence. The vulnerability was disclosed by Microsoft as part of a larger set of patches. Co-disclosed vulnerabilities (e.g., CVE-2026-5893, CVE-2026-5894) are related to the Chromium browser engine, which powers Microsoft Edge. This context suggests, but does not confirm, that CVE-2026-5914 may be a vulnerability in Microsoft Edge or a related component, likely exploitable via user interaction with malicious web content. The high CVSS score of 8.8 indicates a significant technical impact if an exploit were developed, potentially involving remote code execution or information disclosure.

Affected Systems

Vendor: Microsoft

Affected Versions:

Product not explicitly named for CVE-2026-5914. Inferred to be Microsoft Edge or a related component based on co-disclosed vulnerabilities.

Exposure: Inferred to be systems where users interact with untrusted web content.

Blast Radius: All users of the affected, unpatched Microsoft product.

Intelligence Context

The threat picture for CVE-2026-5914 is defined by a significant divergence between its technical severity and its current exploitation risk. The CVSS score of 8.8 categorizes it as 'High' severity, which correctly captures the potential impact of a successful exploit. However, the EPSS score is exceptionally low at 0.017%, indicating a very low probability of exploitation being observed in the wild within the next 30 days. This is corroborated by its absence from the CISA KEV catalog. The intelligence signal originated and is confined to the vendor (msrc.microsoft.com), which is characteristic of a routine, coordinated disclosure event (e.g., Patch Tuesday) rather than a response to an active attack. For defenders, this means the vulnerability should be addressed through standard patching cycles and not treated as an emergency requiring immediate, out-of-band action.

Remediation & Defense

Monitor for official patch information and apply updates according to standard vulnerability management schedules. The high CVSS score warrants patching, but the low EPSS and lack of exploitation evidence reduce its immediate priority.

Patch Status: Assumed available via standard update channels as part of a vendor disclosure.

Patch Version: Refer to Microsoft's official security update guide for CVE-2026-5914.

Workarounds:

Not available

Detection Hints:

Not available

Source Timeline

msrc.microsoft.com — First reporter

CVE-2026-5914 Microsoft vulnerability high-cvss low-epss