Description
Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input in the Shortcuts feature of Google Chrome on macOS. A malicious shortcut file can cause the browser to ignore its navigation restrictions, allowing an attacker to redirect the user to arbitrary URLs. This abuse can lead to phishing, credential theft, or delivery of malware, compromising the user’s confidentiality and integrity of data. No direct code execution is disclosed, but the ability to bypass navigation controls is significant.

Affected Systems

Google Chrome versions on macOS prior to 149.0.7827.53 are affected. The issue is specific to the Shortcuts component used by the browser on the Mac operating system.

Risk and Exploitability

The CVSS score is not provided, and EPSS is unavailable, indicating limited public exploitation data. The vulnerability requires an attacker to supply a crafted shortcut file, implying that exploitation may require local interaction or phishing. The vulnerability is not listed in CISA KEV, suggesting it has not yet been widely exploited. Nevertheless, the potential to redirect users to malicious sites warrants prompt remediation.

Generated by OpenCVE AI on June 5, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.53 or later
  • Disable the Shortcuts feature by navigating to chrome://flags and setting "Enable Shortcuts" to Disabled
  • Search the system for recently created shortcut files and delete any that are unfamiliar or suspicious

Generated by OpenCVE AI on June 5, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Chrome on Mac: Shortcuts Input Validation Bypass Enabling Navigation Restrictions Escape
Weaknesses CWE-20

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:17.665Z

Reserved: 2026-06-04T17:11:14.808Z

Link: CVE-2026-11283

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:05.670

Modified: 2026-06-05T00:17:05.670

Link: CVE-2026-11283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:30:25Z

Weaknesses