Description
Insufficient validation of untrusted input in File Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome on Android was found to perform insufficient validation of untrusted input when handling file input operations. A crafted HTML page could exploit this weakness to read data from other origins, resulting in cross‑origin information leakage. The flaw is a classic example of improper input validation (CWE‑20) and was rated high in Chromium’s internal severity scoring.

Affected Systems

The vulnerability applies to Google Chrome for Android versions earlier than 150.0.7871.47. Users of these releases on any Android device are at risk. Google recommends updating to the 150.0.7871.47 stable channel or newer to remove the flaw.

Risk and Exploitability

Chromium assigns the vulnerability a high severity. The issue is not listed in CISA’s KEV catalog, suggesting limited current exploitation data. However, exploitation requires a crafted local or remote HTML page and a user who opens it in the affected browser. Once triggered, the attacker can read cross‑origin data, potentially compromising user privacy and sensitive application data.

Generated by OpenCVE AI on July 1, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Google Chrome update (150.0.7871.47 or newer).
  • If an update cannot be applied, remove or disable <input type="file"> elements on web pages that accept untrusted user input, or enforce server‑side MIME type validation for uploaded files.
  • Implement a strict Content Security Policy that blocks cross‑origin data requests triggered by file input handling.

Generated by OpenCVE AI on July 1, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title File Input Validation Flaw Allows Cross‑Origin Data Leak on Google Chrome for Android

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in File Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:43.661Z

Reserved: 2026-06-29T23:03:24.737Z

Link: CVE-2026-13816

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:30:06Z

Weaknesses
  • CWE-20

    Improper Input Validation