Description
Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient input validation in DevTools enabled an attacker to obtain cross‑origin data by persuading a user to install a malicious Chrome extension. The flaw allows the attacker to read data that should be protected by the same‑origin policy, compromising the confidentiality of the user’s information. The weakness matches CWE‑20, Improper Input Validation.

Affected Systems

The vulnerability affects Google Chrome up to and including version 149.0.7827.52. Versions 149.0.7827.53 and later contain the fix and are not affected. Users of any Chrome build before that are susceptible if they allow malicious extensions to run.

Risk and Exploitability

The CVE is rated medium severity but no EPSS score is available, and it is not listed in the CISA KEV catalog. Likely exploitation requires a user to install a malicious extension, so the attack vector is user‑initiated intent. While the vulnerability is not currently flagged as exploited, the inherent confidentiality risk warrants prompt remediation.

Generated by OpenCVE AI on June 5, 2026 at 04:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or newer where the issue is fixed
  • Remove any installed Chrome extensions that may be malicious or from untrusted sources
  • Configure Chrome policies to restrict the installation of extensions unless explicitly approved

Generated by OpenCVE AI on June 5, 2026 at 04:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Cross-Origin Data Leakage via Malicious Extension

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:10.416Z

Reserved: 2026-06-04T17:06:55.979Z

Link: CVE-2026-11126

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:18.570

Modified: 2026-06-04T23:17:18.570

Link: CVE-2026-11126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:15:25Z

Weaknesses