Description
Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the WebUI of Google Chrome prior to version 149.0.7827.53 enables a remote attacker to craft a domain name that is displayed incorrectly in the user interface. The resulting domain spoofing can mislead users into believing they are interacting with a legitimate site, creating a phishing vector. The vulnerability is rated low by Chromium security severity, indicating limited impact if exploited only to confuse users, but the potential to facilitate social‑engineering attacks remains significant.

Affected Systems

All desktop users running Google Chrome versions earlier than 149.0.7827.53 are affected, regardless of operating system. The issue is tied to the stable channel releases, as documented in Google’s release notes and Chromium issue tracker.

Risk and Exploitability

The CVSS score is not publicly documented, and the EPSS score is unavailable, but the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only the ability to craft a domain name that the WebUI will display; no additional privileges or code execution are needed. The likely attack vector is a remote phishing scenario where an attacker presents a forged domain to lure a user within Chrome.

Generated by OpenCVE AI on June 5, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome 149.0.7827.53 or later; this release fixes the domain display bug.
  • Disable any custom WebUI or proxy configurations that might bypass standard domain display checks to prevent accidental deception.
  • Verify the real domain name of critical sites in the address bar or tab indicator before entering sensitive data, and consider using browser extensions that enforce strict domain bar display.

Generated by OpenCVE AI on June 5, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Title Domain Spoofing via WebUI in Google Chrome 149.0.7827.53
Weaknesses CWE-1030

Thu, 04 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:51.755Z

Reserved: 2026-06-04T17:10:55.697Z

Link: CVE-2026-11225

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:30.270

Modified: 2026-06-04T23:17:30.270

Link: CVE-2026-11225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T04:30:31Z

Weaknesses