High

Microsoft has released security updates to address multiple vulnerabilities in Microsoft Edge, including the critical remote code execution flaw CVE-2026-45495. Discovered and reported by Research Team, the vulnerability carries a CVSS score of high and can be exploited when a user interacts with malicious content, such as visiting a specially crafted website or opening a malicious file. The flaw stems from improper validation of user-supplied file paths during Edge’s processing of feedback log files, allowing attackers to manipulate file operations and potentially execute arbitrary code in the context of the logged-in user.

The vulnerability is particularly concerning because successful exploitation could enable attackers to perform a range of malicious actions, including data theft, browser profile compromise, local persistence, and potential lateral movement within an organization if elevated privileges are available. The root cause lies in a path-validation weakness that allows specially crafted file paths to influence file operations in unintended locations. Although Microsoft has not released proof-of-concept exploit code, the attack scenario is highly compatible with common social-engineering techniques such as malicious email attachments, poisoned downloads, and drive-by web pages designed to lure victims into triggering the exploit.

In addition to CVE-2026-45495, Microsoft addressed two related Edge vulnerabilities reported by the same researcher. CVE-2026-45494 (CVSS medium) involves a navigation-handling weakness that could lead to cross-origin script injection when combined with user interaction, while CVE-2026-45492 (CVSS medium) results from insufficient origin validation in cross-device managed sign-in functionality, potentially exposing restricted features and increasing the effectiveness of chained attacks. While these flaws are rated lower in severity, they could be leveraged alongside other vulnerabilities to expand an attacker’s capabilities.

Microsoft has strongly recommended that organizations and individual users apply the latest Edge updates immediately to mitigate the risk of exploitation. Security teams should ensure browser and operating system patches are deployed across all endpoints, enforce least-privilege access policies, and remain vigilant against phishing attempts, suspicious links, and untrusted file attachments. Additionally, monitoring endpoint detection and response (EDR) solutions for abnormal browser-related file operations or persistence mechanisms can help identify potential exploitation attempts. Given its remote code execution capability, CVE-2026-45495 should be treated as a high-priority patching requirement to reduce organizational exposure.