Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code - CyberSecurityNews
CyberSecurityNewsArchived Jun 26, 2026✓ Full text saved
Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code CyberSecurityNews
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code
By Guru Baran
June 5, 2026
Microsoft has released a security update addressing a critical vulnerability in Microsoft Edge that could allow remote attackers to execute arbitrary code on vulnerable systems.
Tracked as CVE-2026-45495 and reported by Orange Tsai of DEVCORE, the flaw carries a CVSS v3 score of 7.5 and requires user interaction, for example, visiting a malicious webpage or opening a crafted file, to be exploited.
The vulnerability stems from improper validation during Edge’s processing of feedback log files. Specifically, Edge failed to properly validate a user-supplied file path before performing file operations.
An attacker who can trick a user into opening a malicious file or visiting a crafted page could exploit this flaw alongside other bugs to run code in the logged-in user’s context.
Because the exploit runs with the current user’s privileges, the impact ranges from data theft and browser profile compromise to local persistence or lateral movement where higher privileges exist.
According to the public advisory, the root cause is a path-validation defect in feedback log handling. By supplying a specially crafted path, an attacker can influence file operations in an unintended location.
While Microsoft’s advisory does not publish exploit code, the vulnerability’s characteristics (file-access path manipulation plus the need for user interaction) make social-engineering vectors malicious attachments, drive-by pages, or poisoned downloads—likely delivery mechanisms.
Microsoft’s release also coordinated updates for two additional Edge flaws discovered by the same researcher group:
CVE-2026-45494 (CVSS 5.0): A navigation-handling weakness that can enable cross-origin script injection; user interaction required.
CVE-2026-45492 (CVSS 4.3): Insufficient origin validation in cross-device managed sign-in, which can expose restricted functionality and be chained with other issues.
Microsoft has published fixes and urged users and administrators to apply updates immediately. Recommended actions:
Update Edge to the latest stable release via Microsoft Update or the Edge About page.
Apply operating system patches if prompted by Microsoft Update.
Block or scrutinize untrusted attachments and links in email and messaging apps.
Use least-privilege accounts for daily activities to limit exploit impact.
Monitor endpoint detection systems for unusual file operations or new persistence mechanisms linked to browser processes.
The vulnerabilities were reported to Microsoft on May 20, 2026, with coordinated public advisories released and updated on June 4, 2026. Orange Tsai (@orange_8361) of the DEVCORE Research Team (@d3vc0r3) is credited with the findings.
Administrators should prioritize the CVE-2026-45495 update given its code-execution potential and ensure patching across user endpoints to reduce exposure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign
Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors
Malicious JetBrains and VS Code Extensions Steal OpenAI, Anthropic, and DeepSeek API Keys
15 Best Linux Network Monitoring Tools in 2026
Scattered Spider Hackers Who Breached London Transport Network Plead Guilty
Latest News
Cyber Security
Russia Used Cellebrite Tool to Hack Activist’s iPhone Despite Contract Cancellation
Cyber Security
Windows Secure Boot Certificate Expired — Billions of PCs Affected Including Linux Distros
Cyber Security
25-Year-Old Vulnerability in cURL Used by 30 Billion Devices Finally Patched
Cyber Security News
LokiBot Campaign Uses JScript Attachment, .NET Injector, and Process Injection to Steal Credentials
Cyber Security News
Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers