Description
Incorrect security UI in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by incorrect implementation of the security UI in the file input control in Google Chrome. A malicious web page can trigger a UI‑spoofing condition that causes the browser to display a file chooser dialog that does not reflect the true source or intent of the request. This flaw falls under the category of UI spoofing weaknesses and is mapped to CWE‑451 (Failure to Provide an Adequate User Interface) and CWE‑1021. An attacker may thereby trick a user into selecting or uploading a file that the user would not normally choose, aiding phishing or social‑engineering attacks. The flaw does not provide direct remote code execution or data exfiltration, and is classified as low severity.

Affected Systems

All desktop instances of Google Chrome using a version earlier than 149.0.7827.53 are affected. The vulnerability applies to Chrome 149.0.0 through 149.0.7827.52. Versions 149.0.7827.53 and above have the fix applied.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a widely exploited flaw. The CVSS score of 4.3 classifies the risk as low severity. Exploitation requires a crafted HTML page that persuades a user to interact with a file input control, making it a user‑interactive attack. The overall risk is considered low, and the primary mitigation is to ensure the browser is updated to a version where the issue is resolved.

Generated by OpenCVE AI on June 7, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 149.0.7827.53 or later to apply the security fix.
  • Enable Chrome's automatic update feature to receive future patches promptly.
  • Instruct users to verify that file chooser dialogs originate from the expected site and to avoid proceeding with uploads prompted by unfamiliar or suspicious‑looking interfaces.

Generated by OpenCVE AI on June 7, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title File Input UI Spoofing in Google Chrome chromium-browser: Incorrect security UI in File Input
Weaknesses CWE-1021
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title File Input UI Spoofing in Google Chrome

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Incorrect File Input Dialog in Google Chrome
Weaknesses CWE-639

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Incorrect File Input Dialog in Google Chrome
Weaknesses CWE-639

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:23:36.167Z

Reserved: 2026-06-04T17:10:52.551Z

Link: CVE-2026-11216

cve-icon Vulnrichment

Updated: 2026-06-05T14:23:31.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:29.243

Modified: 2026-06-05T20:25:41.267

Link: CVE-2026-11216

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11216 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information