Description
Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Chrome’s Permissions module; prior to version 149.0.7827.53, it incorrectly enforces content security policy, allowing a crafted HTML page to bypass CSP constraints. Based on the description, it is inferred that this bypass could permit unintended script execution or data leakage, potentially compromising the integrity of the browser sandbox.

Affected Systems

All stable channel desktop releases of Google Chrome older than 149.0.7827.53 are affected. The issue applies to every device that runs these browser versions regardless of operating system, because it is part of the Chromium rendering engine.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, and the EPSS score is <1%, signifying a very low but nonzero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The CVE states a remote attacker can deliver a crafted HTML page, implying that social engineering or phishing may be used to trigger the exploit. No publicly disclosed exploit is known at this time.

Generated by OpenCVE AI on June 7, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later, which contains the fixed permissions handling.
  • Where possible, use Chrome Enterprise policies to enforce content security policy settings, mitigating potential bypasses for internal or untrusted web content.
  • Raise user awareness about the risks of opening unknown or suspicious HTML pages and advise them to check browsers’ security settings after visiting new sites.

Generated by OpenCVE AI on June 7, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1142

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Policy bypass in Permissions
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Content Security Policy Bypass via Crafted HTML Page in Google Chrome

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Content Security Policy Bypass via Crafted HTML Page in Google Chrome
Weaknesses CWE-1142

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:53:20.274Z

Reserved: 2026-06-04T17:11:07.706Z

Link: CVE-2026-11260

cve-icon Vulnrichment

Updated: 2026-06-05T19:53:10.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:02.730

Modified: 2026-06-08T14:19:24.580

Link: CVE-2026-11260

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11260 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T18:00:05Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')