Description
Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in how Google Chrome processes password‑related navigation restrictions. A maliciously crafted HTML page can cause the browser to ignore these restrictions, allowing a remote attacker to direct a user to arbitrary URLs without the user’s knowledge or consent. This bypass enables phishing, malware delivery, or other unwanted content, and it represents an improper enforcement of the browser’s navigation constraints as classified by Chromium as "High" severity.

Affected Systems

Google Chrome builds earlier than 150.0.7871.47 are affected. The notification does not specify which operating systems are impacted; it applies to any platform that runs the affected Chrome version.

Risk and Exploitability

Chromium’s high severity rating indicates a serious risk. No CVSS score is published; EPSS is unavailable, and the flaw is not listed in CISA’s KEV catalog. An attacker only needs to host or serve a crafted page, meaning the attack can be carried out remotely from any location. The vulnerability requires no local code execution; once the victim opens the malicious page, the bypass is triggered via the browser’s navigation logic.

Generated by OpenCVE AI on July 1, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or newer.
  • If an update cannot be applied, use enterprise policy to block navigation triggered from password fields.
  • Disable automatic password filling or auto‑login for untrusted sites via Chrome settings.

Generated by OpenCVE AI on July 1, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title Chrome Password‑Related Navigation Restriction Bypass via Crafted HTML Page
Weaknesses CWE-669
CWE-693

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:44.421Z

Reserved: 2026-06-29T23:03:25.222Z

Link: CVE-2026-13818

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:30:06Z

Weaknesses
  • CWE-669

    Incorrect Resource Transfer Between Spheres

  • CWE-693

    Protection Mechanism Failure