Description
Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-04
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the validation of untrusted input within the WebShare component of Google Chrome for macOS allowed a remote attacker who had already compromised the renderer process to craft a malicious HTML page that could potentially escape the renderer sandbox. The weakness is a classic input validation failure (CWE‑20) and also an example of insufficient sanitization that could lead to cross‑site scripting attacks (CWE‑79) within the renderer. The official Chromium severity rating for this issue is High.

Affected Systems

Google Chrome for macOS versions prior to 149.0.7827.53 are affected. Versions equal to or newer than 149.0.7827.53 contain the fix and are not vulnerable.

Risk and Exploitability

An attacker must obtain code‑execution or some other foothold within the renderer process and then serve a specially crafted HTML page to trigger the sandbox escape. The EPSS score of 0.00098 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Despite the lack of recent exploitation data, the CVSS score of 8.3 and the remote nature of the flaw make it a significant risk for users running affected Chrome versions.

Generated by OpenCVE AI on June 7, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on macOS to version 149.0.7827.53 or later, which contains the fixed handling of WebShare inputs.
  • Ensure Chrome’s automatic update mechanism is enabled so future security patches are applied without manual intervention.
  • Launch Chrome with the '--disable-features=WebShare' flag or use enterprise policy to disable WebShare until the patch is applied.

Generated by OpenCVE AI on June 7, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in WebShare
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in WebShare Allows Potential Sandbox Escape in Chrome for macOS

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Insufficient Validation in WebShare Allows Potential Sandbox Escape in Chrome for macOS
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:41:38.494Z

Reserved: 2026-06-04T17:06:06.485Z

Link: CVE-2026-10920

cve-icon Vulnrichment

Updated: 2026-06-05T01:38:53.053Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:16:54.263

Modified: 2026-06-05T15:47:54.767

Link: CVE-2026-10920

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-10920 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T14:45:31Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')