Description
Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient validation flaw in Google Chrome’s DevTools allows an attacker who has already gained control of the renderer process to inject arbitrary scripts or HTML into a crafted page. This could lead to malicious code execution within the context of the renderer, effectively enabling user‑side cross‑site scripting or other malicious actions.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. The flaw exists in the Chrome browser for desktop platforms.

Risk and Exploitability

The CVE has a high severity rating in Chromium’s internal scoring model, but no EPSS data is currently available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to first compromise the renderer process, likely through a malicious web page or exploit. Because no public exploits have been reported, the risk is limited to environments where an attacker can execute arbitrary renderer code.

Generated by OpenCVE AI on June 5, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later.
  • If immediate update is not possible, disable DevTools for untrusted input by setting the Chrome policy 'DeveloperToolsAllowed' to false.
  • Implement a content security policy that blocks inline scripts and prevents cross-site scripting to mitigate potential injection from untrusted pages.

Generated by OpenCVE AI on June 5, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Chromium DevTools Input Validation Vulnerability Allowing Arbitrary Script Injection

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:03:37.360Z

Reserved: 2026-06-04T17:06:05.539Z

Link: CVE-2026-10916

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:16:53.713

Modified: 2026-06-04T23:16:53.713

Link: CVE-2026-10916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:15:16Z

Weaknesses