Description
Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Downloads component of Google Chrome and permits a remote attacker to craft an HTML page that bypasses Chrome’s navigation restrictions. By loading the page, a malicious user could potentially trigger download-related navigation actions that Chrome normally forbids, thereby enabling the attacker to influence or hijack browser navigation. The weakness is rooted in inappropriate handling of navigation constraints within the download flow.

Affected Systems

The vulnerability affects Google Chrome. Specific version details are not listed in the public advisory; however, the issue impacts all Chrome installations that have not applied the security update 149.0.7827.53. No other vendors or products are indicated in the CNA’s notified scope.

Risk and Exploitability

Chromium classifies the severity of this issue as Low, and no EPSS score is presently available, so the likelihood of exploitation cannot be quantified. The problem has not been included in the CISA KEV catalog. Based on the description, the attack vector is remote and depends on a crafted HTML page that the user must open or navigate to, implying that social‑engineering or phishing could be used to entice victims. Given the lack of a high CVSS score and the absence of a known exploit, the risk remains modest but is not negligible in environments where browsers are configured to download without strict navigation checks.

Generated by OpenCVE AI on June 5, 2026 at 00:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or newer, which implements the necessary checks to enforce navigation restrictions.
  • Ensure automatic updates are enabled for Chrome, so the browser receives security patches promptly.
  • Configure Chrome policies or settings to require explicit user confirmation before new page navigations triggered by a download.

Generated by OpenCVE AI on June 5, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Remote Navigation Restriction Bypass via Crafted HTML Page in Google Chrome Downloads
Weaknesses CWE-601

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:05:58.751Z

Reserved: 2026-06-04T17:11:01.729Z

Link: CVE-2026-11243

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:00.607

Modified: 2026-06-05T00:17:00.607

Link: CVE-2026-11243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses