Remote Code Execution via Directory Traversal in Microsoft Edge Feedback Log (CVE‑2026‑45495)
What It Is — A newly disclosed zero‑day (ZDI‑26‑331) in Microsoft Edge’s feedback‑log handling permits an attacker to traverse directories and execute arbitrary code. The flaw stems from insufficient validation of a user‑supplied path before file operations are performed.
Exploitability — Exploits require user interaction (visiting a malicious page or opening a crafted file). A proof‑of‑concept was demonstrated at Pwn2Own, and the CVSS base score is 7.5 (High). Microsoft has released a patch.
Affected Products — Microsoft Edge (all supported versions at time of disclosure).
TPRM Impact —
- Edge is a common browser in corporate environments; compromised endpoints can become launch pads for lateral movement.
- Third‑party SaaS platforms accessed via Edge may inherit the risk, expanding the attack surface across the supply chain.
Recommended Actions —
- Deploy Microsoft’s security update for CVE‑2026‑45495 immediately on all managed endpoints.
- Enforce strict web‑filtering and file‑type controls to block untrusted feedback‑log files.
- Verify that endpoint protection solutions flag attempts to write outside allowed directories.
- Update incident‑response playbooks to include detection of anomalous Edge processes and file‑system activity.