Microsoft Edge Navigation Handling Vulnerability Allows Universal XSS
A universal cross-site scripting vulnerability in Microsoft Edge's navigation handling, CVE-2026-45494, allows remote attackers to execute arbitrary cross-origin script.
The Zero Day Initiative (ZDI) has disclosed a universal cross-site scripting (XSS) vulnerability affecting Microsoft Edge, identified as ZDI-26-330 and assigned CVE-2026-45494. This flaw resides within the browser's navigation handling mechanisms and, if exploited, permits remote attackers to execute arbitrary script in a different origin than intended.
The vulnerability stems from insufficient validation of user-supplied data during navigation events. This oversight allows an attacker to inject malicious script that can then be executed within the context of a target domain. Successful exploitation requires a user to interact with malicious content, such as visiting a compromised webpage or opening a specially crafted file, which then triggers the vulnerable navigation process.
With a CVSS score of 5.0 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L), this vulnerability is classified as medium severity. While it necessitates user interaction and a high degree of complexity for exploitation, the potential impact of executing arbitrary script in a user's browser session remains significant. Attackers could leverage this to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites.
Microsoft has acknowledged the vulnerability and has released a security update to address it. Users of Microsoft Edge are strongly advised to apply the latest updates provided by Microsoft to mitigate the risk of exploitation. The advisory from ZDI highlights the ongoing efforts by security researchers to uncover and report such flaws, contributing to the overall security of widely used software.
This disclosure comes from the Pwn2Own competition, a well-known event where security researchers demonstrate vulnerabilities in various software and hardware. The vulnerability was reported to Microsoft on May 20th, 2026, and the coordinated public release of the advisory occurred on June 4th, 2026, following Microsoft's issuance of a patch. The research was conducted by Orange Tsai of the DEVCORE Research Team.
While the exploit requires user interaction, the nature of universal XSS vulnerabilities means they can be broadly applicable across many websites and services that rely on the affected browser component. This underscores the importance of robust input validation and secure coding practices in browser development to prevent such security weaknesses from being introduced.
This vulnerability adds to the ongoing landscape of browser security challenges, where subtle flaws in handling web navigation and user input can lead to significant security risks. Staying updated with vendor patches and employing security best practices remain critical for users and organizations to defend against such threats.