Description
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input by Google Chrome before version 149.0.7827.155. An attacker who has already compromised the renderer process can deliver a specially crafted HTML page that tricks Chrome into violating the same‑origin policy. The denial of the origin barrier allows the attacker to read or manipulate data belonging to other web origins, which can lead to data theft or unauthorized actions on behalf of the user. The underlying weaknesses include an input validation flaw (CWE‑20) and a trust boundary bypass (CWE‑346).

Affected Systems

The flaw affects Google Chrome versions earlier than 149.0.7827.155 on desktop platforms. Users running these releases are susceptible until the vendor releases a patch that includes proper input validation checks.

Risk and Exploitability

The CVSS score of 4.2 classifies the bug as moderate, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. Although the vulnerability is not listed in the CISA KEV catalog, the Chromium project has marked it as a high‑severity issue. Exploitation requires that the attacker first compromise the renderer process, which is typically achieved through a preceding vulnerability or user interaction. Once that condition is met, the attacker can manipulate the browser to bypass same‑origin restrictions using a crafted HTML payload.

Generated by OpenCVE AI on June 19, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 149.0.7827.155 or later, which restores proper input validation.
  • If an automated update is not available, manually install the official Chrome update package from the vendor.
  • Until patching is possible, restrict access to untrusted content and enable Chrome's Safe Browsing features to reduce the likelihood of renderer compromise.

Generated by OpenCVE AI on June 19, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Untrusted Input Validation Failure Allows Same‑Origin Policy Bypass in Chrome chromium-browser: chromium-browser: Insufficient validation of untrusted input in Input
Weaknesses CWE-346
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Untrusted Input Validation Failure Allows Same‑Origin Policy Bypass in Chrome

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:56:01.436Z

Reserved: 2026-06-16T19:38:28.932Z

Link: CVE-2026-12453

cve-icon Vulnrichment

Updated: 2026-06-17T10:55:54.356Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T01:38:18Z

Links: CVE-2026-12453 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T14:15:04Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-346

    Origin Validation Error