Description
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Serial API of Google Chrome enables a remote attacker to inject arbitrary scripts or HTML into a page when a user visits a specially crafted HTML file. The vulnerability is classified as a user-experience cross-site scripting (UXSS) flaw and is identified with CWE‑79. If exploited, the attacker can execute arbitrary JavaScript in the context of the browsing session, potentially compromising user data or performing malicious actions under the user's authority. The affected code path requires the victim to load a malicious HTML page that triggers the flaw. The severity rating is CVSS 6.1, indicating a moderate risk to confidentiality, integrity, and availability of the affected user’s system.

Affected Systems

Google Chrome is the only vendor/product mentioned. The vulnerability exists in all versions prior to 149.0.7827.155; no specific version list is supplied, so the recommendation is to treat all earlier releases as affected. No work‑arounds or patch details are published by the vendor in the provided data.

Risk and Exploitability

The flaw has a low EPSS score (<1%), suggesting current exploitation likelihood is very limited. It is not listed in the CISA KEV catalog, which further reduces immediate threat perception. However, because the attack vector involves a crafted HTML page, anyone who can persuade a user to load that page can trigger the vulnerability. The CVSS score highlights that the flaw can potentially lead to user session compromise but does not allow remote code execution beyond the browser context.

Generated by OpenCVE AI on June 17, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.155 or later, as this version includes the fix for the Serial API UXSS vulnerability.
  • If an update cannot be applied immediately, configure enterprise or local policies to block or disable access to the Serial API, preventing the vulnerable code path from being reachable.
  • Continuously monitor Chrome security advisories and known indicators of compromise for any signs that attackers are targeting this flaw, and plan for rapid patch deployment when feasible.

Generated by OpenCVE AI on June 17, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:57:21.163Z

Reserved: 2026-06-16T19:38:31.102Z

Link: CVE-2026-12459

cve-icon Vulnrichment

Updated: 2026-06-17T10:57:14.153Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T06:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')