Description
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome versions prior to 149.0.7827.53 contain an insufficient validation of untrusted input in the WebAppInstalls component. This input‑validation flaw, classified as CWE‑20, allows an attacker who has compromised the renderer process to craft a malicious HTML page that can exfiltrate cross‑origin data. The vulnerability does not provide full remote code execution but does expose confidential information that would otherwise be protected by same‑origin policy.

Affected Systems

Affected variants are Google Chrome running the stable channel up to version 149.0.7827.53. Any system using these releases is potentially susceptible to the data‑leak scenario described.

Risk and Exploitability

The security team rates the flaw as Medium within Chromium’s internal severity scale. No EPSS score is publicly available, and the vulnerability is not listed in CISA’s KEV catalog, indicating limited evidence of active exploitation. Exploitation requires an attacker to first subvert the renderer process—typically through local compromise or an advanced web‑based attack—after which the attacker can deliver the crafted HTML and read cross‑origin content. Given the need for renderer compromise, the leverage is moderate but the confidentiality impact and lack of active exploits suggest a risk that warrants swift patching.

Generated by OpenCVE AI on June 5, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 149.0.7827.54 or later to apply the vendor‑supplied fix
  • Disable the WebAppInstalls feature via Chrome Enterprise policy to reduce the attack surface if immediate patching is not possible
  • Monitor renderer processes for unusual cross‑origin data transmission and enforce strict content‑security policies to mitigate potential leaks

Generated by OpenCVE AI on June 5, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Chrome WebAppInstalls Input Validation Leak

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:18.029Z

Reserved: 2026-06-04T17:06:27.988Z

Link: CVE-2026-11008

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:04.613

Modified: 2026-06-04T23:17:04.613

Link: CVE-2026-11008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:00:11Z

Weaknesses