Description
Inappropriate implementation in Navigation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Google Chrome’s navigation system allows a remote attacker to create a crafted HTML page that bypasses client‑side navigation restrictions. When a user loads the page, the browser is misled into navigating to URLs or resources that should be blocked, exposing the user to phishing, drive‑by downloads, or other web‑based threats. Chromium rates the vulnerability as low severity; it does not enable remote code execution, credential theft, or other direct system compromise.

Affected Systems

Google Chrome installations running any version earlier than 149.0.7827.53, across all supported operating systems. The flaw resides in the Navigation component of Chrome and is present in any build that predates the 149.0.7827.53 release. Users who have not applied the latest patch remain vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity. The EPSS score is <1%, implying a very low exploitation probability. The vulnerability is not present in CISA’s KEV catalog. Attackers would need to entice a user to visit a maliciously crafted page, either locally or from a remote host. Practical exposure is therefore limited to users who open such a page, and the security boundary breach does not lead to remote code execution or system compromise on its own.

Generated by OpenCVE AI on June 7, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later to apply the navigation restriction fix
  • If an upgrade cannot be performed immediately, configure Chrome’s group policies or administrative templates to disable or restrict the affected navigation feature where possible
  • Use security extensions or network filtering to block or monitor traffic to known malicious URLs and reduce the risk of a successful navigation bypass

Generated by OpenCVE AI on June 7, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Navigation Restriction Bypass in Google Chrome chromium-browser: Insufficient data validation in Navigation
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Remote Navigation Restriction Bypass in Google Chrome

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Title Navigation Restriction Bypass via Crafted HTML in Google Chrome
Weaknesses CWE-285

Fri, 05 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Navigation Restriction Bypass via Crafted HTML in Google Chrome
Weaknesses CWE-285

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Navigation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T14:18:02.691Z

Reserved: 2026-06-04T17:10:53.716Z

Link: CVE-2026-11219

cve-icon Vulnrichment

Updated: 2026-06-05T14:17:56.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:29.577

Modified: 2026-06-05T20:24:23.667

Link: CVE-2026-11219

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11219 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

  • CWE-693

    Protection Mechanism Failure