Description
Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Chrome’s Keyboard component permits a remote attacker to inject arbitrary scripts or HTML into a crafted web page. This flaw can cause malicious code to run in the context of the victim’s browser session, potentially leading to credential theft, session hijacking, or defacement of the displayed web content. The weakness is classified as an inappropriate implementation that fails to validate or sanitize keyboard‑related input before rendering it, which aligns with common cross‑site scripting weaknesses.

Affected Systems

Google Chrome versions before 149.0.7827.53 are affected. The issue was identified in the stable channel and addressed in the 149.0.7827.53 update released in June 2026.

Risk and Exploitability

Chromium rates this as a Medium severity vulnerability. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker delivering a specially crafted HTML page that leverages the keyboard handling code to execute arbitrary scripts. Exploitation requires user interaction with the page or simple page load, making it relatively straightforward for an attacker who can host a malicious page or embed malicious content in existing web sites.

Generated by OpenCVE AI on June 5, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 149.0.7827.53 or later to apply the security fix.
  • Enable automatic updates in Chrome so that future security patches are received automatically.
  • If immediate updating is impossible, enforce a strict content security policy that blocks inline scripts or use an extension that mitigates script injection.

Generated by OpenCVE AI on June 5, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Keyboard Implementation Leak Allows Remote Script Injection via Crafted HTML in Google Chrome
Weaknesses CWE-79

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:08.793Z

Reserved: 2026-06-04T17:06:55.096Z

Link: CVE-2026-11122

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:18.023

Modified: 2026-06-04T23:17:18.023

Link: CVE-2026-11122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:15:33Z

Weaknesses