Description
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from insufficient validation of untrusted input in the omnibox of Google Chrome versions prior to 149.0.7827.53, allowing a remote attacker to inject arbitrary scripts or HTML into a crafted page that exploits UI gestures. The flaw, identified as CWE‑20, enables arbitrary script execution in the browser context, which can lead to data theft, credential compromise, or further malicious actions by the attacker.

Affected Systems

The impact is limited to desktop versions of Google Chrome across all operating systems, affecting any build before the 149.0.7827.53 patch level. Consequently, users running any older Chrome stable releases are vulnerable until they upgrade.

Risk and Exploitability

Chromium classifies this issue with a Low security severity, and no EPSS score is available. The attack requires the victim to visit a malicious webpage and perform specific UI gestures, indicating that social engineering or user‑prompted actions are needed. While the exploit is theoretically possible, it does not require elevated privileges and there are no publicly documented exploits, resulting in a moderate but still non‑negligible risk for exposed users.

Generated by OpenCVE AI on June 5, 2026 at 00:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or newer through the OS update mechanism or Chrome's built‑in updater.
  • Restart the browser to ensure that the new update is active and any cached omnibox data is cleared.
  • As a temporary protection before applying the update, disable omnibox suggestions by navigating to chrome://settings/omnibox and turning off "Show search suggestions as you type".

Generated by OpenCVE AI on June 5, 2026 at 00:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Untrusted Input Validation Failure in Chrome Omnibox Allows Arbitrary Script Injection

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:13.423Z

Reserved: 2026-06-04T17:11:11.683Z

Link: CVE-2026-11273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:04.387

Modified: 2026-06-05T00:17:04.387

Link: CVE-2026-11273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses