Description
Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation of the SVG engine in Google Chrome before version 149.0.7827.53 enables a remote attacker to craft an HTML page that forces the browser to expose data from a different origin. The flaw allows data leakage without any authentication or code execution, resulting in a confidentiality breach that could reveal sensitive information such as cookies, local storage, or other web‑app data that the victim normally cannot access.

Affected Systems

Google Chrome browsers using versions prior to 149.0.7827.53 are affected.

Risk and Exploitability

This vulnerability is exploitable by a remote attacker who can host or influence a crafted HTML page, making it possible to read cross‑origin content from the victim’s session. Since there is no authentication requirement and no privileged execution needed, the risk is high for end users browsing untrusted sites. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, but the potential impact on data confidentiality warrants prompt attention.

Generated by OpenCVE AI on June 5, 2026 at 03:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 149.0.7827.53 or later
  • If an immediate update is not possible, enforce an enterprise policy that disables or blocks SVG rendering for untrusted content
  • Review and restrict cross‑origin resource loading in corporate security settings to limit exposure to malicious SVG files

Generated by OpenCVE AI on June 5, 2026 at 03:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title SVG Cross‑Origin Data Leak in Google Chrome
Weaknesses CWE-200

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:34.027Z

Reserved: 2026-06-04T17:10:40.540Z

Link: CVE-2026-11182

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:25.123

Modified: 2026-06-04T23:17:25.123

Link: CVE-2026-11182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:00:12Z

Weaknesses