Description
Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Google Chrome prior to 149.0.7827.53, the Web Share function was implemented in a way that allowed a malicious web page to trick a user into executing specific UI gestures. When the user performed those gestures, data from another origin could be inadvertently shared. The flaw stems from improper input validation (CWE‑20) and results in the leakage of sensitive cross‑origin information. The assigned Chromium severity is Medium, indicating that while the vulnerability is not immediately destructive, it can expose confidential data.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. Users must upgrade to a version that includes the fix (149.0.7827.53 or later).

Risk and Exploitability

The vulnerability is exploitable only when the victim visits a malicious site and follows a trick that triggers the Web Share gesture. There is no publicly known exploit and the CVE is not listed in the CISA KEV catalog. EPSS data is not available, and the requirement for a user action indicates a moderate risk for exposed data.

Generated by OpenCVE AI on June 5, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or newer
  • Disable the Web Share feature via Chrome policy or flags if an upgrade cannot be performed immediately
  • Provide user training to recognize and avoid malicious share‑triggering gestures

Generated by OpenCVE AI on June 5, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Remote Cross‑origin Data Leak via Web Share API
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:11.360Z

Reserved: 2026-06-04T17:06:56.431Z

Link: CVE-2026-11128

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:18.837

Modified: 2026-06-04T23:17:18.837

Link: CVE-2026-11128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:15:25Z

Weaknesses