ZDI 2026-06-04

ZDI-26-330: (Pwn2Own) Microsoft Edge Navigation Handling Universal Cross-Site Scripting Vulnerability

CVE-2026-45494

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires user interaction to visit a malicious page or open a malicious file, indicating execution depends on social engineering.

Context

The affected product is Microsoft Edge, specifically in its navigation handling component. The vulnerability is a universal cross-site scripting (XSS) issue that allows remote attackers to execute arbitrary cross-origin scripts. The advisory notes user interaction is required for exploitation. Worth noting, the CVSS score is rated at 5.0, indicating a medium severity impact.

Operator considerations

Check: Verify if Microsoft Edge is deployed in the environment.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary cross-origin script on affected installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 5.0. The following CVEs are assigned: CVE-2026-45494.

Read the full advisory on ZDI →