Description
Inappropriate implementation in DOM in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted HTML page can cause Google Chrome to treat cross‑origin requests as same‑origin, allowing an attacker to read private data from other sites. The flaw does not require local privileges and can be triggered by any user who opens a malicious page, resulting in potential data theft. The vulnerability is identified as a medium‑severity flaw in Chromium’s handling of DOM.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. Updating to the release that incorporates the patch removes the flaw.

Risk and Exploitability

The exploit requires the user to load a malicious page in Chrome. No exploit code is currently documented, but that does not preclude undisclosed exploits. The CVSS score of 6.5 indicates medium severity. The EPSS score is <1%, and the vulnerability is not listed in CISA’s KEV catalog. With user interaction required, the risk is moderate in environments with high exposure to malicious web content.

Generated by OpenCVE AI on June 5, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later.
  • Ensure Chrome’s automatic update mechanism is enabled to receive future security patches.
  • Exercise caution when browsing: avoid clicking suspicious links and limit access to untrusted sites while using Chrome.

Generated by OpenCVE AI on June 5, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Same‑Origin Policy Bypass via Crafted HTML in Google Chrome
Weaknesses CWE-284

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 05 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Same‑Origin Policy Bypass via Crafted HTML in Google Chrome
Weaknesses CWE-284

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DOM in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T18:29:55.362Z

Reserved: 2026-06-04T17:06:34.621Z

Link: CVE-2026-11036

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:17:07.747

Modified: 2026-06-05T19:16:29.863

Link: CVE-2026-11036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:00:05Z

Weaknesses