Description
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can supply specially crafted untrusted input to Google Chrome before version 149.0.7827.103, enabling them to forge user interface elements and trick users into interacting with malicious controls. This flaw does not allow arbitrary code execution but can be leveraged for phishing or social engineering attacks that compromise user trust and data. The underlying weakness is an improper input validation problem (CWE‑20).

Affected Systems

The vulnerability exists in all pre‑149.0.7827.103 releases of Google Chrome across all platforms. Users running older Chrome versions are susceptible; upgrading to the latest stable channel mitigates the issue.

Risk and Exploitability

Chromium labels the severity of this flaw as high, reflected by a CVSS score of 5.4, and it is not currently listed in the CISA KEV catalog. The EPSS score is < 1 %, indicating a very low risk of exploitation at the time of this analysis. The attack vector requires an attacker to host a malicious HTML page or inject crafted content, and a user must interact with that page. Because the flaw allows UI manipulation but not code execution, exploitation may be limited to scenarios where user interaction can be forced. Nonetheless, the high severity coupled with the ability to deceive users warrants prompt remediation.

Generated by OpenCVE AI on June 9, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update that includes version 149.0.7827.103 or later, which removes the input validation issue.
  • Configure a strict content security policy that limits or sanitizes dynamic UI elements to reduce the chance of UI spoofing from injected content.
  • Monitor user interaction logs for anomalous UI patterns and report suspected fraud to help refine defenses and identify potential attack attempts.

Generated by OpenCVE AI on June 9, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation Leading to UI Spoofing in Chrome

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation Leading to UI Spoofing in Chrome

Tue, 09 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T12:53:38.389Z

Reserved: 2026-06-08T21:33:45.727Z

Link: CVE-2026-11666

cve-icon Vulnrichment

Updated: 2026-06-09T12:53:33.384Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T00:16:49.747

Modified: 2026-06-09T14:16:35.640

Link: CVE-2026-11666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T15:30:08Z

Weaknesses