Google Chrome versions prior to 149.0.7827.53 have an insecure permissions implementation that lets a remote attacker craft an HTML page to bypass the browser’s content security policy. The flaw originates from improper enforcement of CSP constraints, identified as a weakness that can allow arbitrary script execution or data exfiltration when a malicious page is opened. Though Chromium rates the severity as low, the capability to execute untrusted code within the browser’s context elevates the risk to the confidentiality, integrity, and availability of the affected system.

All stable channel releases of Google Chrome older than 149.0.7827.53 on desktop platforms are affected. The vulnerability applies to every device that runs these browser versions, regardless of operating system, because it is tied to the core rendering engine’s permission handling.

No publicly available exploit is known, and the EPSS score is not available, so the exact likelihood of exploitation remains unclear. The flaw can be triggered by a crafted HTML page delivered via a web server or even a local file, implying that a remote or local attacker could use social‑engineering or phishing to induce a user to open the page. The CVE is not listed in the CISA KEV catalog, indicating that it is not a known high‑volume active exploit, but mitigations should still be applied promptly to eliminate the vulnerability since the attack path is straightforward once the malicious page is visited.