Description
Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an improper handling of XML data in Google Chrome, permitting a remote attacker to inject arbitrary scripts or HTML content when a crafted page is loaded. This grants the attacker the ability to execute code in the context of the victim’s browser, potentially compromising sensitive information such as cookies, session credentials, or user data. The flaw is classified as a user‑experience cross‑site scripting issue (CWE‑79), with a medium severity rating reported by Chromium.

Affected Systems

Google Chrome browsers on all supported operating systems are affected; the flaw applies to any build prior to the latest update that contains the XML parsing fix.

Risk and Exploitability

The CVSS score is 6.1, and the EPSS score is < 1%, with the vulnerability not listed in the CISA KEV catalog. A remote attacker can trigger exploitation by hosting or luring a user to a specially crafted HTML page that contains malicious XML content, which is then parsed by Chrome and executed. As the attack requires user interaction to load the page, the overall exploitability is moderate, with potential impact on confidentiality, integrity, and availability of the browser session.

Generated by OpenCVE AI on June 6, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to the latest available release, which incorporates the XML parsing fix.
  • If the latest update cannot be applied immediately, disable unsafe XML parsing features via Chrome flags (e.g., “Enable or disable XML processing”) or use extensions that block inline scripting.
  • Configure network security controls or browser security settings to block or sandbox execution of unexpected scripts and reduce exposure to malicious content.

Generated by OpenCVE AI on June 6, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in XML
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 06 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Title Remote Cross‑Site Scripting via Improper XML Handling in Google Chrome

Sat, 06 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Remote Cross‑Site Scripting via Improper XML Handling in Google Chrome
Weaknesses CWE-79

Fri, 05 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:28:08.444Z

Reserved: 2026-06-04T17:10:30.799Z

Link: CVE-2026-11150

cve-icon Vulnrichment

Updated: 2026-06-06T03:27:03.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:21.377

Modified: 2026-06-08T14:46:19.780

Link: CVE-2026-11150

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11150 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T06:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')