Description
Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Google Chrome’s enforcement of Content Security Policy permits an attacker to bypass the policy by loading a specially constructed HTML page. The vulnerability enables the attacker to inject or execute arbitrary content that would normally be blocked by the policy, potentially leading to cross‑site scripting or other unauthorized code execution within the browser. The weakness stems from an oversight in policy validation and enforcement.

Affected Systems

Google Chrome versions prior to 149.0.7827.53 are affected. The issue was identified as a policy bypass that only impacts browsers running those builds.

Risk and Exploitability

Chromium’s internal assessment rates the vulnerability as low severity, and the EPSS score is not available. The flaw is not currently listed in the CISA KEV catalog. An attacker can exploit the weakness remotely by serving the crafted HTML page to a user’s browser, enabling the bypass without additional foothold. Because of the low severity rating and lack of an enterprise focus, the likelihood of large‑scale exploitation is considered modest, though the attack vector remains fully remote.

Generated by OpenCVE AI on June 5, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 149.0.7827.53 or later
  • If immediate update is not possible, configure Chrome Enterprise policy to lock the Content Security Policy settings and disallow user overrides
  • Enable Chrome’s built‑in sandbox and site isolation features to reduce impact of any bypass

Generated by OpenCVE AI on June 5, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Google Chrome Browser CSP Bypass Vulnerability

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:09.816Z

Reserved: 2026-06-04T17:11:09.048Z

Link: CVE-2026-11264

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:03.250

Modified: 2026-06-05T00:17:03.250

Link: CVE-2026-11264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T03:15:15Z

Weaknesses

No weakness.