Description
Insufficient validation of untrusted input in Tab Group Sync in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome for Android contains insufficient validation of untrusted input during Tab Group synchronization. A remote attacker can spoof sync traffic to inject arbitrary scripts or HTML, leading to cross‑site scripting that runs in the context of the user’s browser. This is a classic input‑validation flaw (CWE‑20) that can compromise the confidentiality, integrity, and availability of the user’s browsing session.

Affected Systems

The flaw affects all Chrome for Android installations that have the Tab Group sync feature enabled and whose version is earlier than 149.0.7827.53. Devices running any older Android Chrome releases are vulnerable until a patch is applied.

Risk and Exploitability

The vulnerability has a Chromium severity of Medium and no EPSS score is recorded. It is not listed in CISA’s KEV catalog. Exploitation requires the attacker to interfere with the sync traffic, which can be achieved over unsecured or compromised networks. Once a malicious payload is injected, the user’s browser executes it immediately, without needing additional user interaction, making the attack path relatively direct.

Generated by OpenCVE AI on June 5, 2026 at 02:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or newer
  • Disable Tab Group Sync until the update is installed
  • Enable Safe Browsing and site‑filtering protections to reduce the impact of injected scripts

Generated by OpenCVE AI on June 5, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Tab Group Sync Enables Remote Script Injection (UXSS)

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Tab Group Sync in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:14:53.119Z

Reserved: 2026-06-04T17:06:34.178Z

Link: CVE-2026-11034

cve-icon Vulnrichment

Updated: 2026-06-05T19:13:38.439Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:17:07.517

Modified: 2026-06-05T20:17:19.313

Link: CVE-2026-11034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:30:32Z

Weaknesses