Description
Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper handling of Payment data in Chrome for Android prior to 149.0.7827.53 allows a local attacker to read cross‑origin information through a specially crafted HTML page, resulting in a data‑exposure vulnerability that could be abused via a crafted request. The issue is associated with CWE‑352 and, according to the vulnerability list, includes CWE‑940, indicating an inappropriate use of privileged features that may further facilitate information leakage.

Affected Systems

All users of Google Chrome on Android running versions before 149.0.7827.53 are vulnerable. The Payments component of the browser is impacted, and any local website or file capable of rendering the crafted HTML content could trigger the exploit.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. The EPSS score is < 1% and the flaw is not listed in the CISA KEV catalog, implying no widely reported exploitation. However, the vulnerability requires only local device access, making it attractive for malware that operates on the same device. A successful exploitation could compromise confidential user data, and the lack of public exploits does not diminish the importance of applying the fix.

Generated by OpenCVE AI on June 7, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on Android to version 149.0.7827.53 or later, which contains the fix for the Payments data‑exposure flaw.
  • If an immediate update is not feasible, disable the Payments API in Chrome via the flags page (chrome://flags) or remove the component from the device’s Chromium build to prevent the vulnerability from being exploitable.
  • Avoid loading or interacting with untrusted local HTML pages that might target the Payments component until the browser is updated.

Generated by OpenCVE AI on June 7, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Local Data Leak via Payments in Chrome on Android chromium-browser: Inappropriate implementation in Payments
Weaknesses CWE-940
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Title Local Data Leak via Payments in Chrome on Android

Sat, 06 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Local Cross‑Origin Data Leak via Crafted Page in Chrome Android Payments
Weaknesses CWE-200

Sat, 06 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Local Cross‑Origin Data Leak via Crafted Page in Chrome Android Payments
Weaknesses CWE-200

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:29:54.074Z

Reserved: 2026-06-04T17:10:30.155Z

Link: CVE-2026-11148

cve-icon Vulnrichment

Updated: 2026-06-06T03:29:48.856Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:21.147

Modified: 2026-06-08T14:46:30.643

Link: CVE-2026-11148

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11148 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)

  • CWE-940

    Improper Verification of Source of a Communication Channel