Description
Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient input validation in DevTools enabled an attacker to obtain cross‑origin data by persuading a user to install a malicious Chrome extension. The flaw allows the attacker to read data that should be protected by the same‑origin policy, compromising the confidentiality of the user’s information. The weakness matches CWE‑20, Improper Input Validation.

Affected Systems

The vulnerability affects Google Chrome for any build before 149.0.7827.53. Versions 149.0.7827.53 and later are not affected. Users of any older Chrome build that allow malicious extensions are vulnerable.

Risk and Exploitability

The CVE is rated medium severity with a CVSS score of 4.3 and an EPSS score of < 1%, and it is not listed in the CISA KEV catalog. Likely exploitation requires a user to install a malicious extension, so the attack vector is user‑initiated intent. While the vulnerability is not currently flagged as exploited, the inherent confidentiality risk warrants prompt remediation.

Generated by OpenCVE AI on June 8, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or newer where the issue is fixed
  • Remove any installed Chrome extensions that may be malicious or from untrusted sources
  • Configure Chrome policies to restrict the installation of extensions unless explicitly approved

Generated by OpenCVE AI on June 8, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Cross-Origin Data Leakage via Malicious Extension chromium-browser: Insufficient validation of untrusted input in DevTools
Weaknesses CWE-940
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

threat_severity

Moderate

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Title Chrome DevTools Cross-Origin Data Leakage via Malicious Extension

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T18:01:26.946Z

Reserved: 2026-06-04T17:06:55.979Z

Link: CVE-2026-11126

cve-icon Vulnrichment

Updated: 2026-06-08T15:42:53.002Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:18.570

Modified: 2026-06-09T03:05:37.077

Link: CVE-2026-11126

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11126 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T18:00:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-940

    Improper Verification of Source of a Communication Channel