Description
Inappropriate implementation in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Chrome’s FileSystem implementation. A renderer process that an attacker has already compromised can serve a specially crafted HTML page that bypasses the normal same‑origin restriction. This abuse can allow the attacker to read or write sensitive data from other origins and potentially trigger further malicious behavior, representing a significant breach of confidentiality and integrity.

Affected Systems

All desktop installations of Google Chrome prior to version 149.0.7827.53 on the stable channel are impacted. The vulnerability affects every user running a prior update on Windows, macOS, or Linux.

Risk and Exploitability

The CVSS score is classified as medium, and no EPSS score is publicly available, indicating limited evidence of current exploitation. The vulnerability was not listed in CISA’s KEV catalog. The attack requires an attacker to have already compromised the renderer process; once that condition is met, a crafted page can be served to exfiltrate data. The risk is therefore moderate to high for systems that cannot immediately remediate.

Generated by OpenCVE AI on June 5, 2026 at 02:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later to contain the fix.
  • Restrict renderer process privileges by ensuring the browser is run in the latest sandboxed environment and that untrusted extensions are disabled.
  • Monitor for anomalous renderer activity, such as unexpected network connections or disallowed file system access, and isolate compromised processes immediately.

Generated by OpenCVE AI on June 5, 2026 at 02:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Same‑Origin Policy Bypass via FileSystem API in Google Chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:04:47.284Z

Reserved: 2026-06-04T17:06:44.921Z

Link: CVE-2026-11078

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:12.513

Modified: 2026-06-04T23:17:12.513

Link: CVE-2026-11078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:30:30Z

Weaknesses