Description
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an inappropriate implementation in Chrome for iOS that permits a remote attacker to craft an HTML page which can replace the legitimate contents of the Omnibox (URL bar) when viewed in the browser. This allows the attacker to deceptively alter what the user sees as the current URL, making it appear that the user is visiting a different site. The primary impact can facilitate phishing attacks or other social engineering exploits. It does not grant code execution or direct system compromise.

Affected Systems

Affected software is Google Chrome for iOS. Versions prior to 150.0.7871.47 are vulnerable. Any device running these earlier Chrome for iOS builds is at risk.

Risk and Exploitability

The vulnerability has a high severity rating by Chromium, but no CVSS score is reported in the provided data, and the EPSS score is not available. The attack requires the attacker to serve a crafted HTTP(S) page that the user must open in Chrome for iOS; no special privileges are needed on the device. Because the attacker only needs to provide a malicious webpage, the likelihood of exploitation in the wild is moderate; however, the deception potential is significant. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on July 1, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome for iOS to version 150.0.7871.47 or later.
  • Enable Chrome's Safe Browsing feature in the settings to help detect spoofed URLs.
  • Educate users to verify the displayed URL in the omnibox, especially before entering sensitive information.

Generated by OpenCVE AI on July 1, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
Title Chrome iOS Omnibox Spoofing via Crafted HTML Page
Weaknesses CWE-200

Wed, 01 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome for iOS Omnibox Spoofing via Crafted HTML Page
Weaknesses CWE-1025
CWE-79

Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Title Chrome for iOS Omnibox Spoofing via Crafted HTML Page
Weaknesses CWE-1025
CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:37:53.235Z

Reserved: 2026-06-29T23:03:31.246Z

Link: CVE-2026-13842

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T12:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor