Description
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by insufficient validation of untrusted input in the WebAppInstalls component of Google Chrome on Windows. A remote attacker can deliver a crafted HTML page that, when a user performs specific UI gestures, will execute arbitrary code in the context of the user’s browser. The impact is a complete compromise of confidentiality, integrity, and availability by enabling arbitrary code execution.

Affected Systems

Google Chrome for Windows versions prior to 150.0.7871.47 are affected. Any user running these versions may be vulnerable if they allow a maliciously crafted page to be loaded and the required UI gestures performed.

Risk and Exploitability

The vulnerability is classified as High by Chromium security. There is no EPSS score available, and it is not listed in the CISA KEV catalog, indicating no publicly known exploits at this time. Attackers would need to entice the user to open a specific HTML page and perform the UI gestures, so social engineering is required. Once the conditions are met, arbitrary code can be executed, leading to a full compromise of the user’s machine.

Generated by OpenCVE AI on July 1, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later using the official update mechanism.
  • Restrict or disable the WebAppInstalls feature through browser flags or Group Policy to prevent the exploitation path.
  • Educate users about the risks of clicking suspicious links or engaging in unexpected UI gestures within the browser.

Generated by OpenCVE AI on July 1, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via Untrusted Input in Chrome WebAppInstalls

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via WebAppInstalls Input Validation Flaw

Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via WebAppInstalls Input Validation Flaw

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T13:43:33.939Z

Reserved: 2026-06-29T23:03:19.400Z

Link: CVE-2026-13794

cve-icon Vulnrichment

Updated: 2026-07-01T13:43:28.378Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:45:16Z

Weaknesses
  • CWE-20

    Improper Input Validation