Universal XSS in Microsoft Edge (CVE‑2026‑45494) Enables Cross‑Origin Script Execution
What It Is — A newly disclosed universal cross‑site scripting (XSS) flaw in Microsoft Edge’s navigation handling (CVE‑2026‑45494) permits an attacker to inject arbitrary script that runs in the context of any visited domain. The vulnerability scores 5.0 (CVSS 3.1) and requires a victim to load a malicious page or file.
Exploitability — No public exploit code has been released, but the flaw was demonstrated in the Pwn2Own competition, confirming practical exploitability. The CVSS vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L reflects the need for user interaction and the limited impact (low confidentiality, integrity, and availability).
Affected Products — Microsoft Edge (all current stable releases at the time of advisory).
TPRM Impact —
- Edge is often deployed as a default browser on corporate workstations and in SaaS‑based web portals; a compromised browser can become a conduit for credential theft or data exfiltration from third‑party applications.
- Vendors that embed Edge WebView2 in their products inherit the same exposure, extending the risk to downstream supply‑chain partners.
Recommended Actions —
- Deploy Microsoft’s security update for CVE‑2026‑45494 immediately (see Microsoft Update Guide).
- Enforce strict URL filtering and web‑content security policies to block untrusted sites.
- Review any internal applications that rely on Edge WebView2 and assess the need for temporary mitigation (e.g., sandboxing, disabling navigation to untrusted origins).
- Monitor endpoint telemetry for anomalous script execution or navigation events.
- Communicate the patch requirement to all third‑party vendors that supply Edge‑based components.