Description
Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficiently validated input vector in the Network module of Google Chrome allows a remote attacker, once having compromised the renderer process, to bypass the same‑origin policy. The flaw is a classic input validation weakness that can be exploited to gain unauthorized access to web page resources that would normally be restricted by browser security boundaries.

Affected Systems

Victims are users running Google Chrome prior to version 149.0.7827.53. The affected component is the renderer process within the browser. Any Chrome installation on which the renderer has been compromised can be impacted.

Risk and Exploitability

The reported Chromium security severity is low, and there is no EPSS score or KEV listing. A successful exploitation requires an attacker to have already gained control of the renderer process, which is a non‑trivial prerequisite. Without this compromise, the flaw is not exploitable, so the risk remains low to medium depending on the likelihood of renderer compromise in the environment.

Generated by OpenCVE AI on June 5, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later
  • Enable site isolation or renderer process isolation policies if not already active
  • Monitor Chrome’s renderer processes for anomalous behavior and consider disabling untrusted renderer modules when possible

Generated by OpenCVE AI on June 5, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Title Untrusted Input Allows Same‑Origin Policy Bypass in Chrome Renderer

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:51.018Z

Reserved: 2026-06-04T17:10:55.155Z

Link: CVE-2026-11223

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:30.033

Modified: 2026-06-04T23:17:30.033

Link: CVE-2026-11223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:30:31Z

Weaknesses