Description
Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Google Chrome versions prior to 150.0.7871.47, a flaw in the CSS implementation permits a crafted HTML page to manipulate the browser's rendering of UI elements, effectively allowing an attacker to perform UI spoofing. Attackers can use this to trick users into interacting with fake controls, enabling phishing or credential theft. The vulnerability is rated high severity by Chromium security.

Affected Systems

The affected product is Google Chrome, specifically all builds before version 150.0.7871.47.

Risk and Exploitability

An attacker can exploit the flaw remotely by hosting a malicious HTML page and enticing a user to visit it. No public exploit has been documented and the vulnerability is not listed in CISA's KEV catalog. The EPSS score is unavailable, so the likelihood of exploitation in the wild is unknown, but the high severity and ease of triggering through a simple web page suggest a significant risk to users on affected versions.

Generated by OpenCVE AI on July 1, 2026 at 06:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later.
  • Remove or block older Chrome installations from the system.
  • Keep Chrome's built‑in phishing protection enabled and install reputable security extensions that alert users to UI anomalies.

Generated by OpenCVE AI on July 1, 2026 at 06:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Title UI Spoofing via CSS in Chrome Enabling Phishing Attacks
Weaknesses CWE-1025
CWE-647

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:51.432Z

Reserved: 2026-06-29T23:03:30.001Z

Link: CVE-2026-13837

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T06:15:16Z

Weaknesses
  • CWE-1025

    Comparison Using Wrong Factors

  • CWE-647

    Use of Non-Canonical URL Paths for Authorization Decisions