Description
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome’s extension subsystem contains a flaw that permits a remote attacker to read data that is normally protected by browser cross‑origin policies when a crafted XML file is processed. The failure in XML handling can lead to confidentiality compromise by exposing sensitive information to an unauthorized party. The weakness is associated with information‑disclosure and is classified under CWE‑200.

Affected Systems

The vulnerability affects all installations of Google Chrome that are earlier than build 149.0.7827.53. This includes the stable channel on Windows, macOS, and Linux platforms. Users who have not upgraded past that build remain exposed.

Risk and Exploitability

Chromium assigns a medium severity rating to this issue, and no EPSS score is currently available, so the precise likelihood of exploitation is unclear. Based on the description, it is inferred that an attacker would need to supply a crafted XML file to the victim, possibly by tricking the user into loading a malicious file or through a compromised extension. While the exact delivery method is not detailed, the existence of an information‑disclosure flaw warrants attention and prompt remediation.

Generated by OpenCVE AI on June 5, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Remove or block any third‑party extensions that handle XML files or that are no longer needed.
  • If an immediate update is not possible, monitor for suspicious XML files and consider disabling XML parsing in extensions through policy settings as a temporary mitigation.

Generated by OpenCVE AI on June 5, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Chrome Extension Data Leakage via Crafted XML
Weaknesses CWE-200

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:23.182Z

Reserved: 2026-06-04T17:06:30.897Z

Link: CVE-2026-11020

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:05.950

Modified: 2026-06-04T23:17:05.950

Link: CVE-2026-11020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:45:35Z

Weaknesses