Description
Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Chrome WebUI before version 149.0.7827.53 allows a remote attacker to craft a domain name that the browser displays incorrectly. The spoofed domain can mislead users into believing they are interacting with a legitimate site, creating a phishing vector. The flaw does not enable code execution or privilege escalation; its effect is limited to deceiving users about the site they are visiting.

Affected Systems

All desktop users running Google Chrome versions earlier than 149.0.7827.53, regardless of operating system. The affected releases are part of the stable channel as noted in Google’s release announcements.

Risk and Exploitability

The CVSS score is 6.5 and the EPSS score is below 1%, indicating low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only the ability to present a forged domain to the browser; no additional privileges or code execution are necessary. The likely attack vector is a remote phishing scenario where an attacker delivers a crafted URL to a user within Chrome.

Generated by OpenCVE AI on June 7, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 149.0.7827.53 or later, which resolves the domain display bug.
  • Inferred best practice: before entering sensitive data, verify that the address bar or tab indicates the correct domain name.
  • Inferred best practice: consider enabling extensions that enforce strict domain bar display to help detect spoofed domains.

Generated by OpenCVE AI on June 7, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via Incorrect Domain Display in Chrome WebUI chromium-browser: Incorrect security UI in WebUI
Weaknesses CWE-368
References
Metrics threat_severity

None

 threat_severity

Low

Sat, 06 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 05 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via Incorrect Domain Display in Chrome WebUI

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via WebUI in Google Chrome 149.0.7827.53
Weaknesses CWE-1030

Fri, 05 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via WebUI in Google Chrome 149.0.7827.53
Weaknesses CWE-1030

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T13:51:51.891Z

Reserved: 2026-06-04T17:10:55.697Z

Link: CVE-2026-11225

cve-icon Vulnrichment

Updated: 2026-06-05T13:51:45.555Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:30.270

Modified: 2026-06-06T01:57:59.997

Link: CVE-2026-11225

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11225 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:45:04Z

Weaknesses
  • CWE-368

    Context Switching Race Condition

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information