Description
Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Google Chrome prior to 149.0.7827.53, the Web Share function was implemented in a way that allowed a malicious web page to trick a user into executing specific UI gestures. When the user performed those gestures, data from another origin could be inadvertently shared. The flaw stems from improper input validation (CWE‑20 and CWE‑346) and results in the leakage of sensitive cross‑origin information. The assigned Chromium severity is Medium, indicating that while the vulnerability is not immediately destructive, it can expose confidential data.

Affected Systems

Google Chrome versions earlier than 149.0.7827.53 are affected. Users must upgrade to a version that includes the fix (149.0.7827.53 or later).

Risk and Exploitability

The vulnerability is exploitable only when the victim visits a malicious site and follows a trick that triggers the Web Share gesture. There is no publicly known exploit and the CVE is not listed in the CISA KEV catalog. The CVSS score of 6.5 indicates a medium severity, and the EPSS score of < 1% suggests a low likelihood of exploitation. The requirement for a user action indicates a moderate risk for exposed data.

Generated by OpenCVE AI on June 7, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or newer
  • Disable the Web Share feature via Chrome policy or flags if an upgrade cannot be performed immediately
  • Provide user training to recognize and avoid malicious share‑triggering gestures

Generated by OpenCVE AI on June 7, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Cross‑origin Data Leak via Web Share API chromium-browser: Insufficient validation of untrusted input in Web Share
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title Remote Cross‑origin Data Leak via Web Share API
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-08T18:00:41.511Z

Reserved: 2026-06-04T17:06:56.431Z

Link: CVE-2026-11128

cve-icon Vulnrichment

Updated: 2026-06-08T15:50:09.201Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:18.837

Modified: 2026-06-09T03:05:09.900

Link: CVE-2026-11128

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11128 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:15:46Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-346

    Origin Validation Error