According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? The Edge browser's tab-splitting feature, which allows users to browse two tabs simultaneously, only displays the domain prefix in the address bars instead of the full URL. This behavior can lead to phishing vulnerabilities, as attackers could exploit it to make malicious websites appear legitimate by mimicking trusted domain names. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to open a web page that contained a malicious iframe. What is the version information for this release? Microsoft Edge Version Date Released Based on Chromium Version 148.0.3967.70 05/15/2026 148.0.7778.168
Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) working with TrendAI Zero Day Initiative