Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code

Microsoft has released a security update addressing a critical vulnerability in Microsoft Edge that could allow remote attackers to execute arbitrary code on vulnerable systems.

Tracked as CVE-2026-45495 and reported by Orange Tsai of DEVCORE, the flaw carries a CVSS v3 score of 7.5 and requires user interaction, for example, visiting a malicious webpage or opening a crafted file, to be exploited.

The vulnerability stems from improper validation during Edge’s processing of feedback log files. Specifically, Edge failed to properly validate a user-supplied file path before performing file operations.

An attacker who can trick a user into opening a malicious file or visiting a crafted page could exploit this flaw alongside other bugs to run code in the logged-in user’s context.

Because the exploit runs with the current user’s privileges, the impact ranges from data theft and browser profile compromise to local persistence or lateral movement where higher privileges exist.

According to the public advisory, the root cause is a path-validation defect in feedback log handling. By supplying a specially crafted path, an attacker can influence file operations in an unintended location.

While Microsoft’s advisory does not publish exploit code, the vulnerability’s characteristics (file-access path manipulation plus the need for user interaction) make social-engineering vectors malicious attachments, drive-by pages, or poisoned downloads—likely delivery mechanisms.

Microsoft’s release also coordinated updates for two additional Edge flaws discovered by the same researcher group:

• CVE-2026-45494 (CVSS 5.0): A navigation-handling weakness that can enable cross-origin script injection; user interaction required.
• CVE-2026-45492 (CVSS 4.3): Insufficient origin validation in cross-device managed sign-in, which can expose restricted functionality and be chained with other issues.

Microsoft has published fixes and urged users and administrators to apply updates immediately. Recommended actions:

• Update Edge to the latest stable release via Microsoft Update or the Edge About page.
• Apply operating system patches if prompted by Microsoft Update.
• Block or scrutinize untrusted attachments and links in email and messaging apps.
• Use least-privilege accounts for daily activities to limit exploit impact.
• Monitor endpoint detection systems for unusual file operations or new persistence mechanisms linked to browser processes.

The vulnerabilities were reported to Microsoft on May 20, 2026, with coordinated public advisories released and updated on June 4, 2026. Orange Tsai (@orange_8361) of the DEVCORE Research Team (@d3vc0r3) is credited with the findings.

Administrators should prioritize the CVE-2026-45495 update given its code-execution potential and ensure patching across user endpoints to reduce exposure.