A newly disclosed spoofing vulnerability in Microsoft Edge’s tab-splitting feature, tracked as CVE-2026-45494, could allow attackers to impersonate trusted websites and launch highly convincing phishing campaigns against unsuspecting users.
Microsoft patched the flaw on May 15, 2026, as part of Edge version 148.0.3967.70. Still, the exploitation assessment classifies it as “Exploitation More Likely,” making immediate updates critical for enterprises and individual users alike.
CVE-2026-45494 is a Moderate-severity spoofing vulnerability (CVSS 3.1 score: 5.4 / Temporal: 4.7) affecting Microsoft Edge (Chromium-based) on all supported Windows platforms.
Assigned and published by Microsoft’s Security Response Center (MSRC) on May 15, 2026, the vulnerability stems from CWE-79: Improper Neutralization of Input During Web Page Generation, more commonly known as Cross-Site Scripting (XSS).
What makes this flaw particularly dangerous is that it weaponizes a legitimate browser convenience feature, the tab-splitting view, and turns it into an attack surface for digital deception.
The bug impacts Edge versions before 148.0.3967.70, which is based on Chromium 148.0.7778.168. The Hong Kong Computer Emergency Response Team (HKCERT) has independently corroborated the affected version range and has advised all system administrators and users to update to version 148.0.3967.70 or later without delay.
The root cause of CVE-2026-45494 is deceptively simple yet alarmingly effective. Edge’s tab-splitting feature, designed to let users browse two tabs simultaneously side by side, only displays the domain prefix in the address bar, rather than the full URL.
This truncated URL strips away critical path and subdomain information that users would normally rely on to verify whether a site is legitimate. An attacker can exploit this behavior by crafting a malicious webpage that loads a deceptive iframe page containing a spoofed site mimicking a trusted domain.
When the victim views that page in split-tab mode, the abbreviated address bar makes the phishing site visually indistinguishable from the real thing.
According to Microsoft’s advisory, the user only needs to open a web page containing a malicious iframe for the attack scenario to be triggered. No additional permissions, credentials, or downloads are required from the victim.
This attack pattern is consistent with what security analysts have observed across Microsoft’s history of Edge spoofing advisories, which “repeatedly center on HTTP parsing, deceptive content rendering, or misleading browser presentation”.
The practical threat is concrete: a convincing fake login page for a corporate SSO portal, a spoofed banking site, or a fraudulent Microsoft 365 sign-in screen all rendered within a legitimate-looking browser window.
The vulnerability carries a CVSS 3.1 base score of 5.4 and a temporal score of 4.7, reflecting Microsoft’s confirmation that no exploit code has yet been publicly demonstrated and that an official fix is already available.
| CVSS Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| Exploit Code Maturity | Unproven |
| Remediation Level | Official Fix Available |
| Report Confidence | Confirmed |
Despite the “Moderate” severity rating, Microsoft’s exploitability assessment explicitly labels it “Exploitation More Likely” as a critical nuance.
This means Microsoft’s MSRC analysts believe threat actors have a realistic, achievable attack path, even without a known public exploit.
The low attack complexity (AC:L) and zero privilege requirements (PR:N) further reduce the barrier for opportunistic attackers scanning for vulnerable Edge installations.
Affected Versions
The security update was bundled into Edge Stable Channel version 148.0.3967.70, released on May 15, 2026, built on top of Chromium 148.0.7778.168.
Tenable’s vulnerability database confirms that any Edge installation running below this version is exposed to the multiple vulnerabilities patched in the May 15 advisory, which also included fixes for Chromium-level flaws such as CVE-2026-8587 and CVE-2026-8580 (use-after-free issues in Extensions and Mojo, respectively).
Microsoft’s May 2026 Patch Tuesday addressed 137 distinct vulnerabilities, making it one of the largest monthly update cycles of 2026.
Edge users running auto-updates should already be protected; however, managed enterprise environments where updates are staged or delayed require immediate attention from IT administrators.
Remediation
Security teams should act on the following steps immediately:
- Update Microsoft Edge to version 148.0.3967.70 or later across all endpoints
- Audit enterprise Edge deployments via Microsoft Endpoint Manager or Group Policy to confirm patch compliance
- Enable Microsoft Edge Enhanced Security Mode, which has a documented history of mitigating browser-based exploit chains
- Educate end users about tab-splitting phishing, and train staff to verify full URLs manually rather than relying on the address bar preview in split-tab mode.
- Monitor phishing infrastructure for campaigns mimicking corporate or banking domains, given the “Exploitation More Likely” classification.
- Review iframe-heavy web applications in your environment that might unintentionally expose internal users to spoofed content.
FAQ
Q1: What is CVE-2026-45494?
It is a Moderate-severity (CVSS 5.4) XSS-based spoofing vulnerability in Microsoft Edge’s tab-splitting feature that can be exploited via a malicious iframe to impersonate trusted domains.
Q2: Is CVE-2026-45494 actively exploited in the wild?
No active exploitation has been confirmed, but Microsoft rates it “Exploitation More Likely,” signaling that a realistic attack path exists even without a proven public exploit.
Q3: What version of Edge fixes CVE-2026-45494?
Microsoft Edge version 148.0.3967.70, released May 15, 2026, based on Chromium 148.0.7778.168, contains the official patch.
Q4: What user action triggers this vulnerability?
Simply opening a web page that contains a malicious iframe is sufficient to trigger the spoofing attack. No downloads, installs, or extra permissions are needed.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
