CVE-2026-35433

High

Published: 12 May 2026

Published

12 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

EPSS Score N/A

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35433 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

PM-14 Testing, Training, and Monitoring

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

SA-11 Developer Testing and Evaluation

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

SI-10 Information Input Validation

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

SI-8 Spam Protection

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

NVD Description

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-20 CWE-190

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35433
secure@microsoft.com