Description
Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an inappropriate UI implementation that lets a remote attacker craft an HTML page to access and disclose data that should be blocked by same‑origin policy. The defect allows the attacker to read cross‑origin data, leaking confidential information stored in the browser or underlying Android system. The exposure is limited to data that the user has accessed in that browser session; there is no arbitrary code execution or privilege escalation.

Affected Systems

Google Chrome browsers on Android devices running any version prior to 149.0.7827.53 are affected. The issue is specific to the Android implementation of Chrome’s UI component and does not apply to Chrome on other operating systems.

Risk and Exploitability

The CVSS score is not published and EPSS is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation. Attackers would need to place a malicious, crafted HTML page on a web server and convince a user to open it in the vulnerable browser. Because the flaw only leaks data and no execution is required, the damage is confined to information confidentiality. Nonetheless, malicious actors could reuse the page to harvest data across domains if users visit the page.

Generated by OpenCVE AI on June 5, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on Android to version 149.0.7827.53 or newer, ensuring the UI bug is fixed.
  • Review browser settings to disable or restrict cross‑origin data sharing where possible.
  • Monitor device logs for unexpected data exfiltration and apply any future security patches from Google promptly.

Generated by OpenCVE AI on June 5, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage via UI Vulnerability in Android Chrome
Weaknesses CWE-200

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:12.267Z

Reserved: 2026-06-04T17:11:10.787Z

Link: CVE-2026-11270

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:04.020

Modified: 2026-06-05T00:17:04.020

Link: CVE-2026-11270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:30:25Z

Weaknesses