Description
Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an inappropriate implementation in the Media Session API in Chrome before version 149.0.7827.53, which allows a remote attacker to construct a crafted HTML page that bypasses the same origin policy. This flaw lets a malicious site access or interact with resources that should be restricted to a different origin, potentially exposing data or enabling further attacks. The Chromium team rates the severity as medium.

Affected Systems

Google Chrome browsers running versions earlier than 149.0.7827.53 are affected. No other vendors or products are listed.

Risk and Exploitability

The flaw can be exploited from any web page that the attacker can host or serve, making the attack vector remote via the browser. No CVSS score is provided, and EPSS is unavailable; the vulnerability is not listed in CISA KEV, indicating no confirmed public exploitation. Given the severity rating and the wide use of Chrome, the risk remains moderate to high until the patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer.
  • Ensure that automatic updates are enabled or manually check for updates if automatic updates are disabled.
  • If immediate upgrade is not possible, consider disabling or restricting the Media Session API via enterprise policies or browser extensions to prevent misuse until a fix is available.

Generated by OpenCVE AI on June 5, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Google Chrome Media Session Same Origin Policy Bypass via Crafted Web Page
Weaknesses CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T16:15:21.589Z

Reserved: 2026-06-04T17:10:40.252Z

Link: CVE-2026-11181

cve-icon Vulnrichment

Updated: 2026-06-05T16:14:14.041Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-04T23:17:25.013

Modified: 2026-06-05T17:16:41.530

Link: CVE-2026-11181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:30:33Z

Weaknesses