Description
Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insufficient validation of untrusted input in the password handling component of Google Chrome. A remote attacker can deliver a malicious HTML page that includes a deceptive password form. When a user interacts with the form, the browser accepts the input as legitimate, allowing the attacker to masquerade as a trusted site and gather the user’s input. This UI spoofing does not guarantee credential theft but can mislead users into providing sensitive information to a malicious interface.

Affected Systems

All desktop releases of Google Chrome with versions older than 148.0.7778.216 on macOS, Windows, and Linux are affected. The flaw is present in the password processing module across these operating systems.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, but the Chromium security severity is High, reflecting the potential for significant user deception. The EPSS score is below 1%, implying a low probability of exploitation in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to visit a crafted page containing malicious input; the attack vector is remote, relying on social engineering or a compromised site to lure the user to the page.

Generated by OpenCVE AI on May 29, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Chrome update 148.0.7778.216 or newer to fix the input‑validation issue in password handling.
  • Ensure that Chrome’s automatic updates are enabled or schedule regular manual updates to keep the browser patched.
  • Deploy or enable a reputable anti‑phishing browser extension that detects UI spoofing and warns users when they encounter deceptive pages.

Generated by OpenCVE AI on May 29, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

Fri, 29 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in Passwords
Weaknesses CWE-1173
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Important

Fri, 29 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T18:02:57.890Z

Reserved: 2026-05-28T17:25:12.177Z

Link: CVE-2026-10004

cve-icon Vulnrichment

Updated: 2026-05-29T18:02:51.795Z

cve-icon NVD

Status : Modified

Published: 2026-05-28T23:16:42.187

Modified: 2026-05-29T19:16:22.940

Link: CVE-2026-10004

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-10004 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:00:20Z

Weaknesses