Description
Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Chrome’s enforcement of Content Security Policy allows a remote attacker to bypass security restrictions by loading a specially constructed HTML page. This bypass lets the attacker serve content that would normally be blocked. The weakness is rooted in improper policy validation (CWE-693) and input validation (CWE-79) oversight.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The issue was identified as a policy bypass that only impacts browsers running those builds.

Risk and Exploitability

Chromium’s internal assessment rates the vulnerability as low severity (CVSS 4.3), and the EPSS score is <1%. The flaw is not currently listed in the CISA KEV catalog. An attacker can exploit the weakness remotely by serving the crafted HTML page to a user’s browser, enabling the bypass without additional foothold. Because of the low severity rating and lack of an enterprise focus, the likelihood of large‑scale exploitation is considered modest, though the attack vector remains fully remote.

Generated by OpenCVE AI on June 7, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 149.0.7827.53 or later
  • If immediate update is not possible, configure Chrome Enterprise policy to lock the Content Security Policy settings and disallow user overrides
  • Enable Chrome’s built‑in sandbox and site isolation features to reduce impact of any bypass

Generated by OpenCVE AI on June 7, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Policy bypass in Content Security Policy
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Google Chrome Browser CSP Bypass Vulnerability

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Google Chrome Browser CSP Bypass Vulnerability

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:46:42.973Z

Reserved: 2026-06-04T17:11:09.048Z

Link: CVE-2026-11264

cve-icon Vulnrichment

Updated: 2026-06-05T19:46:36.130Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:03.250

Modified: 2026-06-08T14:18:57.777

Link: CVE-2026-11264

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11264 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:45:03Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')