Skip to main content

Microsoft Edge EUVDEUVD-2026-30785

| CVE-2026-45495 HIGH
Improper Input Validation (CWE-20)
2026-05-18 microsoft GHSA-52mp-27cf-fhvh
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 18:33 vuln.today

DescriptionCVE.org

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

AnalysisAI

Remote code execution in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows attackers to execute arbitrary code on victim systems when a user is lured to a malicious webpage. The vulnerability stems from improper input validation (CWE-20) and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Microsoft Edge (Chromium-based) is Microsoft's browser built on the open-source Chromium engine, sharing rendering and JavaScript components (Blink, V8) with Google Chrome. The CWE-20 (Improper Input Validation) classification indicates the browser fails to properly sanitize or validate input data - typically web content such as crafted HTML, JavaScript, or other resources - before processing. The CPE string cpe:2.3:a:microsoft:microsoft_edge_(chromium-based) confirms the affected component is the desktop Edge application rather than the legacy EdgeHTML variant. Tags referencing both Google and Microsoft suggest this issue may overlap with an upstream Chromium defect propagated downstream to Edge.

RemediationAI

Vendor-released patch: Microsoft Edge (Chromium-based) 148.0.3967.70 or later - update via Edge's built-in updater (edge://settings/help) or through enterprise management channels such as Microsoft Intune, WSUS, or the Microsoft Edge for Business update channels, referencing https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45495 for advisory details. As compensating controls before patching, restrict browsing to trusted sites via SmartScreen and Microsoft Defender SmartScreen enforcement, enable Microsoft Defender Application Guard for Edge to isolate untrusted content in a Hyper-V container (note: this adds resource overhead and breaks some extensions), and consider deploying group policy to disable JIT for V8 via the JavaScriptJitEnabled policy (side effect: notable performance degradation on JS-heavy sites). No alternative browser substitution is recommended as a security control since other Chromium browsers typically share the upstream defect.

Share

EUVD-2026-30785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy