Impact
An inappropriate implementation in the Serial API of Google Chrome enables a remote attacker to inject arbitrary scripts or HTML into a page when a user visits a specially crafted HTML file. The vulnerability is a user‑experience cross‑site scripting flaw identified with CWE‑79. If exploited, the attacker can execute JavaScript in the context of the browsing session, potentially compromising user data or performing malicious actions under the victim’s authority. The flaw requires the victim to load a malicious HTML page that triggers the flaw. The CVSS score of 6.1 indicates moderate risk to confidentiality, integrity, and availability of the affected user’s system.
Affected Systems
Google Chrome is the only vendor/product mentioned. The vulnerability exists in all versions prior to 149.0.7827.155; no specific list of affected versions is supplied, so treat all earlier releases as affected. No work‑arounds or patch details are published by the vendor in the provided data.
Risk and Exploitability
The flaw has an EPSS score of <1%, suggesting that current exploitation likelihood is very limited. It is not listed in the CISA KEV catalog, further reducing immediate threat perception. Because the attack vector involves a crafted HTML page, anyone who can persuade a user to load that page can trigger the vulnerability. The CVSS score highlights that the flaw can potentially lead to user session compromise but does not allow remote code execution beyond the browser context.
OpenCVE Enrichment
Debian DSA