Description
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can supply specially crafted untrusted input to Google Chrome before version 149.0.7827.103, enabling them to forge user interface elements and trick users into interacting with malicious controls. This flaw does not allow arbitrary code execution but can be leveraged for phishing or social engineering attacks that compromise user trust and data. The underlying weakness is an improper input validation problem (CWE‑20) and a cross‑site scripting flaw (CWE‑79).

Affected Systems

The vulnerability exists in all pre‑149.0.7827.103 releases of Google Chrome across all platforms. Users running older Chrome versions are susceptible; upgrading to the latest stable channel mitigates the issue.

Risk and Exploitability

Chromium labels the severity of this flaw as high, reflected by a CVSS score of 5.4, and it is not currently listed in the CISA KEV catalog. The EPSS score is < 1 %, indicating a very low risk of exploitation at the time of this analysis. The attack vector requires an attacker to host a malicious HTML page or inject crafted content, and a user must interact with that page. Because the flaw allows UI manipulation but not code execution, exploitation may be limited to scenarios where user interaction can be forced. Nonetheless, the high severity coupled with the ability to deceive users warrants prompt remediation.

Generated by OpenCVE AI on June 11, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chrome update that includes version 149.0.7827.103 or later, which removes the input validation issue.
  • Configure a strict content security policy that limits or sanitizes dynamic UI elements to reduce the chance of UI spoofing from injected content.
  • Monitor user interaction logs for anomalous UI patterns and report suspected fraud to help refine defenses and identify potential attack attempts.

Generated by OpenCVE AI on June 11, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6337-1 chromium security update
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Untrusted Input in Google Chrome chromium-browser: Insufficient validation of untrusted input in Input
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Untrusted Input in Google Chrome

Wed, 10 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 09 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation Leading to UI Spoofing in Chrome

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation Leading to UI Spoofing in Chrome

Tue, 09 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T12:53:38.389Z

Reserved: 2026-06-08T21:33:45.727Z

Link: CVE-2026-11666

cve-icon Vulnrichment

Updated: 2026-06-09T12:53:33.384Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:49.747

Modified: 2026-06-10T18:31:16.470

Link: CVE-2026-11666

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11666 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:15:27Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • NVD-CWE-noinfo