Description
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of untrusted input by Google Chrome before version 149.0.7827.155. An attacker who has already compromised the renderer process can deliver a specially crafted HTML page that tricks Chrome into violating the same‑origin policy. The denial of the origin barrier allows the attacker to read or manipulate data belonging to other web origins, which can lead to data theft or unauthorized actions on behalf of the user. The underlying weakness is a classic input validation flaw (CWE‑20).

Affected Systems

The flaw affects Google Chrome versions earlier than 149.0.7827.155 on desktop platforms. Users running these releases are susceptible until the vendor releases a patch that includes proper input validation checks.

Risk and Exploitability

The CVSS score of 4.2 classifies the bug as moderate, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. Although the vulnerability is not listed in the CISA KEV catalog, the Chromium project has marked it as a high‑severity issue. Exploitation requires that the attacker first compromise the renderer process, which is typically achieved through a preceding vulnerability or user interaction. Once that condition is met, the attacker can manipulate the browser to bypass same‑origin restrictions using a crafted HTML payload.

Generated by OpenCVE AI on June 17, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 149.0.7827.155 or later, which restores proper input validation.
  • If an automated update is not available, manually install the official Chrome update package from the vendor.
  • Until patching is possible, restrict access to untrusted content and enable Chrome's Safe Browsing features to reduce the likelihood of renderer compromise.

Generated by OpenCVE AI on June 17, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:56:01.436Z

Reserved: 2026-06-16T19:38:28.932Z

Link: CVE-2026-12453

cve-icon Vulnrichment

Updated: 2026-06-17T10:55:54.356Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:45:03Z

Weaknesses
  • CWE-20

    Improper Input Validation