Description
Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an inappropriate UI implementation that lets a remote attacker craft an HTML page to access and disclose data that should be blocked by same‑origin policy. The defect allows the attacker to read cross‑origin data, leaking confidential information stored in the browser or underlying Android system. The exposure is limited to data that the user has accessed in that browser session; there is no arbitrary code execution or privilege escalation.

Affected Systems

Google Chrome browsers on Android devices running any version prior to 149.0.7827.53 are affected. The issue is specific to the Android implementation of Chrome’s UI component and does not apply to Chrome on other operating systems.

Risk and Exploitability

The CVSS score of 6.5 is moderate, and the EPSS score is below 1%, indicating a low likelihood of current exploitation. The vulnerability is still not listed in CISA’s KEV catalog, so no widespread exploitation is documented. Attackers would need to host a malicious, crafted HTML page on a web server and convince a user to open it in the vulnerable browser. Because the flaw only leaks data with no execution requirement, the damage is confined to information confidentiality. Nonetheless, malicious actors could reuse the page to harvest data across domains if users visit the page.

Generated by OpenCVE AI on June 7, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on Android to version 149.0.7827.53 or newer, ensuring the UI bug is fixed.
  • Review browser settings to disable or restrict cross‑origin data sharing where possible.
  • Monitor device logs for unexpected data exfiltration and apply any future security patches from Google promptly.

Generated by OpenCVE AI on June 7, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in UI
Weaknesses CWE-1021
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via UI Vulnerability in Android Chrome
Weaknesses CWE-200

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via UI Vulnerability in Android Chrome
Weaknesses CWE-200

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Android Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T19:35:58.494Z

Reserved: 2026-06-04T17:11:10.787Z

Link: CVE-2026-11270

cve-icon Vulnrichment

Updated: 2026-06-05T19:35:49.567Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:04.020

Modified: 2026-06-08T14:00:38.567

Link: CVE-2026-11270

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11270 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T15:45:03Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames

  • CWE-352

    Cross-Site Request Forgery (CSRF)