Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Microsoft Edge (Chromium-based) Spoofing Vulnerability
AnalysisAI
Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), indicating the browser fails to adequately sanitize or neutralize attacker-supplied input before it is rendered in a web page context. The 'Google' and 'XSS' tags in the intelligence data suggest the root cause may reside in shared Chromium/Blink rendering engine components that Microsoft Edge inherits as a Chromium-based browser. In spoofing-via-XSS scenarios, injected scripts commonly manipulate address bar display, security origin indicators, or in-page UI elements to simulate trusted contexts. The affected CPE (cpe:2.3:a:microsoft:microsoft_edge_(chromium-based):*:*:*:*:*:*:*:*) covers all Chromium-based Edge versions from 1.0.0.0 through the boundary of 148.0.3967.70.
RemediationAI
Upgrade Microsoft Edge (Chromium-based) to version 148.0.3967.70 or later, which is confirmed as the patched release per EUVD-2026-30788 and the Microsoft MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45494. On managed endpoints, deploy the update via Microsoft Endpoint Manager, WSUS, or equivalent patch management tooling and verify the installed version through edge://settings/help. If immediate patching is not feasible, administrators can reduce exposure by enforcing web content filtering policies to block access to untrusted or uncategorized domains, or by deploying Microsoft Edge enterprise policies to restrict JavaScript execution on non-allowlisted origins - note that the latter may break legitimate web application functionality and should be tested before broad rollout. User awareness training targeting phishing and spoofed-page recognition is a compensating control but does not eliminate the vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30788
GHSA-gcm7-9phg-q97r