A flaw in Chrome’s handling of the History API allowed a remote attacker to craft an HTML page that could be loaded by a user and trick the browser into presenting a counterfeit user interface. The vulnerability does not provide direct access to data or system control, but it can enable social‑engineering attacks by making a malicious page look like a legitimate browser or application UI. The flaw is marked as low severity by Chromium but can still be leveraged in phishing scenarios, especially if the attacker can reliably deliver the crafted page to a target user.

Google Chrome is the affected product. All versions prior to 149.0.7827.53 are vulnerable, and the issue was addressed in the 149.0.7827.53 release.

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description shows that a remote attacker can supply a crafted HTML page that, when opened in the browser, will display a counterfeit UI. It is likely that the attack requires the user to open the malicious page in their own session, so social engineering is a central component; there are no privileged preconditions. Because the effect is limited to UI spoofing, the impact on confidentiality, integrity, and availability is minimal, but attackers could exploit it for phishing or tricking users into revealing credentials.