Description
Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome does not enforce policy on CSS requests that can be exploited by a remote attacker to read cross‑origin data from a crafted HTML page. The flaw allows an attacker to read, and therefore disclose, content that should remain private to the target origin. This is an information‑disclosure vulnerability and is classified as CWE‑200.

Affected Systems

The vulnerability affects Google Chrome versions prior to 149.0.7827.53. Users running any earlier build of Chrome are susceptible until they upgrade to the fixed release or later.

Risk and Exploitability

The CVE is marked as low severity by Chromium; no EPSS score is available and it is not listed in CISA’s KEV catalog. The attack requires a user to visit a malicious web page that serves specially crafted CSS, which can then be used by the attacker’s code to extract data from a different origin. Though the likelihood of exploitation appears modest, the consequence is a straightforward leak of sensitive information.

Generated by OpenCVE AI on June 5, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Google Chrome 149.0.7827.53 or newer.
  • Ensure Chrome’s auto‑update feature is enabled so future patches are applied promptly.
  • If upgrading immediately is not possible, consider using a browser that enforces stricter same‑origin CSS policies or disabling CSS loading from external origins for untrusted sites.

Generated by OpenCVE AI on June 5, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Insufficient CSS Policy Enforcement in Google Chrome
Weaknesses CWE-200

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:19.725Z

Reserved: 2026-06-04T17:11:16.434Z

Link: CVE-2026-11288

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:06.323

Modified: 2026-06-05T00:17:06.323

Link: CVE-2026-11288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:15:15Z

Weaknesses