Description
Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Chrome Keyboard component’s inappropriate implementation permits a remote attacker to inject arbitrary scripts or HTML into a crafted web page. This flaw enables malicious code to execute in the context of the user’s browser session, potentially resulting in credential theft, session hijacking, or visual defacement. The weakness is classified as a cross‑site scripting vulnerability (CWE‑79) and an inadequate input filtering issue (CWE‑358).

Affected Systems

Google Chrome versions before 149.0.7827.53 are affected; the update fixed in the stable channel was released in June 2026.

Risk and Exploitability

Chromium rates the issue as a CVSS 6.1 vulnerability. The EPSS score is below 1 %, indicating a low but non‑zero probability of exploitation, and the vulnerability is not in the CISA KEV catalog. The attack vector is a remote attacker delivering a specially crafted HTML page that takes advantage of the keyboard handling code, requiring only a page load or user interaction to trigger execution.

Generated by OpenCVE AI on June 8, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later to receive the security fix.
  • Enable automatic updates in Chrome so future security patches are applied automatically.
  • If immediate updating is not possible, enforce a strict content‑security policy that blocks inline scripts or deploy an extension that mitigates script injection.

Generated by OpenCVE AI on June 8, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-358
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Keyboard Implementation Leak Allows Remote Script Injection via Crafted HTML in Google Chrome chromium-browser: Inappropriate implementation in Keyboard
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Fri, 05 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Keyboard Implementation Leak Allows Remote Script Injection via Crafted HTML in Google Chrome
Weaknesses CWE-79

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T15:32:14.401Z

Reserved: 2026-06-04T17:06:55.096Z

Link: CVE-2026-11122

cve-icon Vulnrichment

Updated: 2026-06-08T15:31:53.153Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:18.023

Modified: 2026-06-09T03:06:09.513

Link: CVE-2026-11122

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11122 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:30:06Z

Weaknesses
  • CWE-358

    Improperly Implemented Security Check for Standard

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')