Description
Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient policy enforcement in CSS parsing in Google Chrome versions prior to 149.0.7827.53. A malicious web page can provide specially crafted CSS rules that cause the browser to read data from a different origin, thereby leaking sensitive information. This flaw does not provide direct code execution but allows a remote attacker to observe cross‑origin data that normally would be inaccessible.

Affected Systems

All users running Google Chrome on Windows, macOS, or Linux with a stable‑channel version older than 149.0.7827.53 are susceptible. The issue is confined to the stable releases; other channels are unaffected according to the advisory.

Risk and Exploitability

Chromium classifies this issue as Medium, reflected by a CVSS score of 4.3, indicating a moderate severity level. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The likely attack vector is a user visiting a web page that hosts the crafted CSS; no elevated privileges or code execution are required to achieve the information disclosure.

Generated by OpenCVE AI on June 7, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later
  • Enforce automatic updates for Chrome deployments to ensure the patched version is installed
  • Apply a content‑security policy that disallows loading external CSS from untrusted origins as a temporary mitigative measure
  • Verify that web applications handling state‑changing requests implement CSRF protections in accordance with CWE‑352 best practices

Generated by OpenCVE AI on June 7, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome CSS Parsing Bug Enables Cross‑Origin Data Leakage chromium-browser: Insufficient policy enforcement in CSS
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Chrome CSS Parsing Bug Enables Cross‑Origin Data Leakage

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Cross-Origin Data Leakage via Inadequate CSS Parsing in Google Chrome
Weaknesses CWE-200

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Cross-Origin Data Leakage via Inadequate CSS Parsing in Google Chrome
Weaknesses CWE-200

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T17:49:04.150Z

Reserved: 2026-06-04T17:10:32.203Z

Link: CVE-2026-11155

cve-icon Vulnrichment

Updated: 2026-06-05T17:48:48.533Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:21.960

Modified: 2026-06-08T14:46:41.143

Link: CVE-2026-11155

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11155 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:15:03Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-352

    Cross-Site Request Forgery (CSRF)