Description
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted QR code. (Chromium security severity: Medium)
Published: 2026-06-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome for iOS suffered from insufficient validation of untrusted input, allowing a remote attacker who convinced a user to perform specific UI gestures to inject arbitrary scripts or HTML through a crafted QR code. This flaw qualifies as an input validation weakness (CWE‑20) and enables the attacker to execute code within the context of Chrome, potentially compromising user data, executing malicious actions, or redirecting to malicious sites. The vulnerability permits the attacker to alter the browser’s execution of scripts, thereby gaining the ability to run arbitrary code or perform privileged interactions within the user’s session.

Affected Systems

The issue affects all instances of Google Chrome for iOS running versions prior to 149.0.7827.53. Users with earlier releases are exposed to the described exploit. No other Chrome variants or platforms are listed as affected.

Risk and Exploitability

The EPSS score of <1% indicates a low likelihood of exploitation, and the CVSS score of 6.1 classifies the vulnerability as Medium severity. Exploitation requires social engineering to convince the user to interact with a malicious QR code, which implies a moderate to high effort and user interaction prerequisite. If successfully exploited, the attacker can inject scripts that execute with the privileges of the Chrome process, allowing significant compromise of confidentiality, integrity, and potentially availability of the user’s browsing experience.

Generated by OpenCVE AI on June 5, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome on iOS to version 149.0.7827.53 or later, which removes the input validation flaw.
  • Disable or avoid using Chrome’s QR code scanner; refrain from scanning untrusted QR codes to eliminate the trigger for the exploit.
  • Clear browsing data and reset Chrome to default settings after patching to remove any inadvertent persistent state that could be abused.

Generated by OpenCVE AI on June 5, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Insufficient validation of untrusted input in Chrome for iOS
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome for iOS Allows Remote Script Injection via Crafted QR Code

Fri, 05 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome for iOS Allows Remote Script Injection via Crafted QR Code
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted QR code. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Iphone Os
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T18:53:11.355Z

Reserved: 2026-06-04T17:10:48.597Z

Link: CVE-2026-11205

cve-icon Vulnrichment

Updated: 2026-06-05T14:44:55.295Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:27.697

Modified: 2026-06-05T20:42:55.253

Link: CVE-2026-11205

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11205 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses
  • CWE-20

    Improper Input Validation