CVE-2026-45495: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Edge - Chromium

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2026-May

Released

2026-05-15

Last Updated

2026-06-01

EPSS Score

0.99% (percentile: 58.0%)

FAQ

According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. What is the version information for this release? Microsoft Edge Version Date Released Based on Chromium Version 148.0.3967.70 05/15/2026 148.0.7778.168

Affected Products (1)

Browser

• Microsoft Edge (Chromium-based)

Acknowledgments

Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) working with TrendAI Zero Day Initiative

Revision History

• 2026-05-15: Information published.
• 2026-05-26: CWE added. Informational change only.
• 2026-06-01: Acknowledgement added. This is an informational change only.