Description
Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness arises from insufficient validation of untrusted input (CWE‑20) and from improper authentication (CWE‑346) in the Cast implementation of Google Chrome. An attacker can supply a specially crafted HTML page that bypasses the browser’s same‑origin policy. This would allow the attacker to read or modify data from sites that the user has visited, potentially leading to data theft or injection of malicious scripts. The vulnerability is considered low severity by Chromium’s internal metrics.

Affected Systems

The flaw affects all Google Chrome installations that use a version earlier than 149.0.7827.53. Users who have not upgraded their browser are at risk. No other vendors or products are listed as affected.

Risk and Exploitability

The EPSS score is below 1% (0.00021) and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly reported exploitation at this time. The CVSS score is 4.3, reflecting low severity. Nonetheless, the bug can be triggered by loading a crafted HTML page in a victim’s browser, which requires convincing the user to visit the malicious page or opening a local file. Although the severity is low, the capability to break the same‑origin policy is valuable to threat actors for data exfiltration or script injection.

Generated by OpenCVE AI on June 7, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to 149.0.7827.53 or later.
  • If the Cast feature is not needed, disable it in Chrome’s settings to limit exposure.
  • Enable Chrome’s automatic update feature to receive future security updates promptly.

Generated by OpenCVE AI on June 7, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient validation of untrusted input in Cast
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Improper Cast Input Validation in Chrome

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Improper Cast Input Validation in Chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:54:37.507Z

Reserved: 2026-06-04T17:11:07.459Z

Link: CVE-2026-11259

cve-icon Vulnrichment

Updated: 2026-06-05T19:54:29.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:02.600

Modified: 2026-06-08T14:19:32.383

Link: CVE-2026-11259

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11259 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:45:03Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-346

    Origin Validation Error