Description
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Serial API of Google Chrome enables a remote attacker to inject arbitrary scripts or HTML into a page when a user visits a specially crafted HTML file. The vulnerability is a user‑experience cross‑site scripting flaw identified with CWE‑79. If exploited, the attacker can execute JavaScript in the context of the browsing session, potentially compromising user data or performing malicious actions under the victim’s authority. The flaw requires the victim to load a malicious HTML page that triggers the flaw. The CVSS score of 6.1 indicates moderate risk to confidentiality, integrity, and availability of the affected user’s system.

Affected Systems

Google Chrome is the only vendor/product mentioned. The vulnerability exists in all versions prior to 149.0.7827.155; no specific list of affected versions is supplied, so treat all earlier releases as affected. No work‑arounds or patch details are published by the vendor in the provided data.

Risk and Exploitability

The flaw has an EPSS score of <1%, suggesting that current exploitation likelihood is very limited. It is not listed in the CISA KEV catalog, further reducing immediate threat perception. Because the attack vector involves a crafted HTML page, anyone who can persuade a user to load that page can trigger the vulnerability. The CVSS score highlights that the flaw can potentially lead to user session compromise but does not allow remote code execution beyond the browser context.

Generated by OpenCVE AI on June 18, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.155 or later, as this release includes the fix for the Serial API UXSS vulnerability.
  • If an update cannot be applied immediately, configure enterprise or local policies to block or disable access to the Serial API, preventing the vulnerable code path from being reachable.
  • Continuously monitor Chrome security advisories and known indicators of compromise for signs that attackers are targeting this flaw, and plan for rapid patch deployment when feasible.

Generated by OpenCVE AI on June 18, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title UXSS via Serial implementation in Chrome allowing remote script injection chromium-browser: chromium-browser: Inappropriate implementation in Serial
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title UXSS via Serial implementation in Chrome allowing remote script injection

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T10:57:21.163Z

Reserved: 2026-06-16T19:38:31.102Z

Link: CVE-2026-12459

cve-icon Vulnrichment

Updated: 2026-06-17T10:57:14.153Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T01:38:21Z

Links: CVE-2026-12459 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')