Description
Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper input validation logic in the Signin module of Google Chrome for iOS allows a remote attacker to serve a malicious HTML page that can mimic the sign‑in user interface. Leveraging this flaw, an attacker could trick a user into entering credentials or other sensitive data into a spoofed form. The primary impact is phishing—no arbitrary code execution or data disclosure, but credential theft or unwanted actions if the user complies.

Affected Systems

Versioned Chrome for iOS browsers older than 149.0.7827.53 are vulnerable. The flaw exists in all builds of Chrome on iOS with earlier revision numbers, affecting mobile devices running those builds.

Risk and Exploitability

The CVSS score is low, and EPSS data is not available, but the flaw is remotely exploitable through a crafted webpage. Although the attack requires social engineering to lure a user to the malicious page, the lack of code execution limits the damage to credential theft or unintended interactions, yet the presence of a known Chrome update mitigates the risk. The vulnerability is not yet listed in CISA’s KEV catalog.

Generated by OpenCVE AI on June 5, 2026 at 00:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on iOS to version 149.0.7827.53 or newer.
  • Verify that the displayed sign‑in page URL matches the legitimate Google domain before entering credentials.
  • Keep the device’s operating system and browser updated to receive timely security patches.

Generated by OpenCVE AI on June 5, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing Vulnerability in Chrome iOS Sign‑In

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:16.486Z

Reserved: 2026-06-04T17:11:13.918Z

Link: CVE-2026-11280

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:05.270

Modified: 2026-06-05T00:17:05.270

Link: CVE-2026-11280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:30:25Z

Weaknesses