CVE-2026-45494 Microsoft CVE debrief

Who should care

End users and enterprise administrators running Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70. Organizations with managed browser deployments should prioritize this update to prevent potential phishing or credential harvesting attacks leveraging spoofed UI elements.

Technical summary

This vulnerability in Microsoft Edge (Chromium-based) enables UI spoofing attacks where malicious content could be rendered to appear as legitimate browser interface elements. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, but requires user interaction. The confidentiality and integrity impacts are low, with no availability impact. The underlying weakness is CWE-79, typically associated with cross-site scripting contexts where input sanitization failures allow injection of malicious content.

Defensive priority

medium

Recommended defensive actions

• Update Microsoft Edge to version 148.0.3967.70 or later
• Verify browser version through Edge Settings > About Microsoft Edge
• Deploy browser update policies via enterprise management tools if applicable
• Monitor for user reports of suspicious UI behavior or unexpected authentication prompts

Evidence notes

CVE published 2026-05-18; modified 2026-05-19. Vendor advisory confirms affected versions and fix availability.

Official resources