admin The vulnerabilities, tracked as CVE-2026-45492, CVE-2026-45494 and CVE-2026-45495, affect Chromium-based Microsoft Edge and were credited to Orange Tsai of DEVCORE Research Team, one of the better-known browser and enterprise security researchers in the global vulnerability research community. The public advisories were released on June 4, while Microsoft had already shipped fixes through Edge version 148.0.3967.70 for desktop, followed by related Android and iOS updates.
The most severe of the three is CVE-2026-45495, a remote code execution flaw linked to feedback log file handling and directory traversal. The vulnerability requires user interaction, meaning an attacker would need to convince a victim to visit a crafted webpage or open a malicious file. Even with that limitation, browser-based code execution remains a significant risk because Edge is widely deployed across corporate Windows environments, often integrated with identity, cloud and productivity workflows.
CVE-2026-45494 involves navigation handling and universal cross-site scripting. A successful exploit could allow an attacker to execute arbitrary cross-origin script in affected Edge installations after user interaction. Such flaws can be used to blur trust boundaries between websites, manipulate browser content, capture sensitive data displayed in a session or support more complex attack chains.
CVE-2026-45492 is an origin validation error that can let remote attackers access restricted functionality in affected Edge installations. Its impact is narrower than direct code execution, but origin validation weaknesses are closely watched because browsers rely on strict separation between web origins to enforce security rules across websites, applications and authentication flows.
The vulnerabilities illustrate why browser flaws discovered at contests such as Pwn2Own are treated as operational priorities by enterprise defenders. Pwn2Own has become a major venue for demonstrating working exploits against browsers, operating systems, virtualisation platforms, mobile devices and enterprise applications under controlled disclosure rules. Researchers receive rewards, vendors receive technical details, and patches are normally coordinated before full public advisories are issued.
Microsoft’s release channel shows that Edge 148.0.3967.70 carried fixes for all three desktop vulnerabilities on May 15. The iOS release on May 19 and Android release on May 21 carried fixes for CVE-2026-45495. The staggered release pattern reflects the different update paths for desktop and mobile platforms, and it places responsibility on users and administrators to verify that all endpoints have moved to patched builds.
Enterprise exposure is likely to vary widely. Organisations with automatic browser updates, endpoint management tools and software inventory systems should be able to reduce risk quickly. Environments that delay browser updates for compatibility testing, kiosk systems, shared workstations or unmanaged contractor devices may remain exposed for longer. Security teams are expected to prioritise checks for Edge versions below 148.0.3967.70 and confirm mobile deployment where Edge is used on managed phones and tablets.
The risk is not limited to attacks that begin with obvious downloads. Browser exploitation often starts with social engineering, compromised websites, malicious links, advertising abuse, phishing emails or files shared through collaboration platforms. User interaction requirements reduce automatic exploitability, but they do not remove risk, particularly where attackers can craft convincing lures around business processes, invoices, document review workflows or login prompts.
The disclosures also underline the continuing security implications of Chromium’s dominance. Edge, Chrome and several other browsers share major parts of the Chromium code base, but vendors also add their own features, services and integration layers. Edge-specific vulnerabilities can emerge from those custom components, even when the underlying Chromium project is separately patched. That makes vendor-specific browser advisories important for defenders who may otherwise focus only on upstream Chromium updates.
For Microsoft, the issue arrives as Edge remains tightly linked to Windows, Microsoft 365, Entra identity services, Copilot features and enterprise management tools. That integration improves administrative control but raises the stakes when browser flaws intersect with authentication, cross-origin protections or file handling. Browser compromise can give attackers a foothold for credential theft, session hijacking, internal reconnaissance or malware delivery.
Security teams should treat the latest Edge update as a priority patch rather than a routine browser refresh. Practical steps include confirming the installed version, forcing updates through enterprise management tools, restarting browsers after installation, auditing devices outside standard update groups and monitoring for suspicious browser-spawned processes. Users should also avoid opening unexpected links or files, particularly where the sender’s identity or the document context cannot be verified.
