Skip to main content

Microsoft Edge EUVDEUVD-2026-30788

| CVE-2026-45494 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 microsoft GHSA-gcm7-9phg-q97r
5.4
CVSS 3.1 · NVD
Temporal: 4.7
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CIRCL (temporal)
4.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 18:36 vuln.today

DescriptionCVE.org

Microsoft Edge (Chromium-based) Spoofing Vulnerability

AnalysisAI

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Technical ContextAI

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), indicating the browser fails to adequately sanitize or neutralize attacker-supplied input before it is rendered in a web page context. The 'Google' and 'XSS' tags in the intelligence data suggest the root cause may reside in shared Chromium/Blink rendering engine components that Microsoft Edge inherits as a Chromium-based browser. In spoofing-via-XSS scenarios, injected scripts commonly manipulate address bar display, security origin indicators, or in-page UI elements to simulate trusted contexts. The affected CPE (cpe:2.3:a:microsoft:microsoft_edge_(chromium-based):*:*:*:*:*:*:*:*) covers all Chromium-based Edge versions from 1.0.0.0 through the boundary of 148.0.3967.70.

RemediationAI

Upgrade Microsoft Edge (Chromium-based) to version 148.0.3967.70 or later, which is confirmed as the patched release per EUVD-2026-30788 and the Microsoft MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45494. On managed endpoints, deploy the update via Microsoft Endpoint Manager, WSUS, or equivalent patch management tooling and verify the installed version through edge://settings/help. If immediate patching is not feasible, administrators can reduce exposure by enforcing web content filtering policies to block access to untrusted or uncategorized domains, or by deploying Microsoft Edge enterprise policies to restrict JavaScript execution on non-allowlisted origins - note that the latter may break legitimate web application functionality and should be tested before broad rollout. User awareness training targeting phishing and spoofed-page recognition is a compensating control but does not eliminate the vulnerability.

Share

EUVD-2026-30788 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy