Description
Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-17
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inappropriate handling of Views in Google Chrome on Linux allows an attacker who has already gained control of the renderer process to inject arbitrary scripts or HTML, resulting in user experience cross‑site scripting (UXSS). This flaw can enable malicious code execution within the renderer context and is classified as a high severity issue. The impact depends on the privileges of the compromised renderer; it can lead to data leakage, session hijacking, or further cross‑domain attacks if the injected scripts target surrounding resources.

Affected Systems

Affected are all Linux installations of Google Chrome whose build version is earlier than 149.0.7827.155. The vulnerability is specific to the Chrome renderer component and applies to standard desktop builds of Chrome on Linux. No Windows or macOS versions are impacted by this particular defect.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity, yet the EPSS score is less than 1%, indicating a low probability of observed exploitation. The vulnerability is not listed in the CISA KEV catalog, which further suggests that no known public exploits exist at the time of this analysis. Attackers would need to bundle this flaw with another vulnerability or social‑engineering technique to first compromise the renderer, after which arbitrary script or HTML injection becomes possible.

Generated by OpenCVE AI on June 19, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.155 or later for Linux.
  • Configure Chrome to automatically receive updates and monitor vendor release notes to apply patches promptly.
  • If an update is not yet available, restrict rendering of untrusted content by disabling external extensions or turning off site isolation for untrusted sites using enterprise policies.

Generated by OpenCVE AI on June 19, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6351-1 chromium security update
History

Fri, 19 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome UXSS via Renderer Compromise on Linux chromium-browser: chromium-browser: Inappropriate implementation in Views
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

threat_severity

Important


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Chrome UXSS via Renderer Compromise on Linux
Weaknesses CWE-79

Wed, 17 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-17T13:17:20.990Z

Reserved: 2026-06-16T19:38:32.463Z

Link: CVE-2026-12463

cve-icon Vulnrichment

Updated: 2026-06-17T13:17:15.330Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T01:38:24Z

Links: CVE-2026-12463 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T14:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')