Description
Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate implementation in the Payments component of Google Chrome before version 149.0.7827.53 allows a remote attacker to coax a user into performing specific user interface gestures that ultimately enable UI spoofing. By serving a crafted HTML page, an attacker can alter or mimic the visual representation of the Payments UI, potentially deceiving the user into believing they are interacting with a legitimate transaction interface. The official Chromium severity is Medium, indicating that while the flaw does not provide unrestricted code execution, it can materially affect user trust and privacy.

Affected Systems

The vulnerability affects all desktop installations of Google Chrome versions earlier than 149.0.7827.53. Users of the stable Chrome channel and any distribution that has not applied the June 2026 update are exposed.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, implying no currently documented exploitation. Attacks require the user to follow a specific UI gesture sequence after viewing a malicious page, indicating a reliance on social engineering to achieve exploitation. The severity of the impact, combined with the requirement of user interaction, suggests a moderate risk level that can be mitigated by applying the official update. Painpoints such as the absence of an EPSS value or KEV listing do not eliminate the need for remediation.

Generated by OpenCVE AI on June 5, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later to eliminate the UI spoofing flaw.
  • If an upgrade is temporarily unavailable, disable the Payments feature in Chrome settings to prevent the vulnerable UI paths from being displayed.
  • Educate users to avoid completing payment actions after interacting with unfamiliar web pages or after performing unusual UI gestures.
  • Consider enabling additional browser security controls, such as the UI sandbox or stricter pop‑up blocking, to reduce the chances of an attacker successfully presenting a spoofed interface.

Generated by OpenCVE AI on June 5, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Crafted Web Page in Google Chrome Payments Before 149.0.7827.53
Weaknesses CWE-601
CWE-640

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:15.272Z

Reserved: 2026-06-04T17:06:26.297Z

Link: CVE-2026-11001

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:03.837

Modified: 2026-06-04T23:17:03.837

Link: CVE-2026-11001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T02:15:29Z

Weaknesses