Description
Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness arises from insufficient validation of untrusted input in the Cast implementation of Google Chrome. An attacker can supply a specially crafted HTML page that bypasses the browser’s same‑origin policy. This would allow the attacker to read or modify data from sites that the user has visited, potentially leading to data theft or injection of malicious scripts. The vulnerability is an input validation error (CWE‑20) and is considered low severity by Chromium’s internal metrics.

Affected Systems

The flaw affects all Google Chrome installations that use a version earlier than 149.0.7827.53. Users who have not upgraded their browser are at risk. No other vendors or products are listed as affected.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly reported exploitation at this time. Nonetheless, the bug can be triggered by loading a crafted HTML page in a victim’s browser, which requires convincing the user to visit the malicious page or opening a local file. Although the severity is low, the capability to break the same‑origin policy is valuable to threat actors for data exfiltration or script injection.

Generated by OpenCVE AI on June 5, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to 149.0.7827.53 or later.
  • If the Cast feature is not needed, disable it in Chrome’s settings to limit exposure.
  • Enable Chrome’s automatic update feature to receive future security updates promptly.

Generated by OpenCVE AI on June 5, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Improper Cast Input Validation in Chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:07.770Z

Reserved: 2026-06-04T17:11:07.459Z

Link: CVE-2026-11259

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:02.600

Modified: 2026-06-05T00:17:02.600

Link: CVE-2026-11259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses