Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
AnalysisAI
Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-20 (Improper Input Validation), a class of flaws where attacker-supplied input is not adequately sanitized or validated before use, enabling security boundary circumvention. The affected product is Microsoft Edge in its Chromium-based variant, covering all releases from 1.0.0.0 up to but not including 148.0.3967.70 per CPE cpe:2.3:a:microsoft:microsoft_edge_(chromium-based):*:*:*:*:*:*:*:* and EUVD-2026-30786. The 'Google' tag suggests the underlying flaw may originate in the shared Chromium codebase rather than a Microsoft-specific layer, though this is inferred rather than confirmed. The bypass is scoped to a single user (S:U), limiting lateral impact within the browser.
RemediationAI
Vendor-released patch: Microsoft Edge 148.0.3967.70. Organizations and individual users should update to Edge 148.0.3967.70 or later immediately via Microsoft Update, the Edge built-in update mechanism, or enterprise deployment tools. The authoritative advisory and patch guidance is published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45492. If immediate upgrade is not operationally feasible, defenders can reduce exposure by restricting users from visiting untrusted websites in Edge, enforcing web content filtering to block unknown or newly-registered domains, and monitoring browser telemetry for anomalous navigation events. Note that these compensating controls reduce but do not eliminate risk, as the user-interaction requirement can still be satisfied through phishing or malvertising on otherwise-trusted domains.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30786
GHSA-c6cv-85fc-cwmv