Description
Inappropriate implementation in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Chrome’s WebAppInstalls component allows a remote attacker to bypass the same origin policy through a crafted HTML page. The vulnerability is a medium‑severity flaw reported by Chromium, permitting cross‑origin access to data or functionality that should be isolated by the browser. The attacker could, without local access, read or modify information stored by other origins, potentially compromising user data and application integrity.

Affected Systems

Google Chrome versions prior to 150.0.7871.47 are affected. The fix is included in Chrome 150.0.7871.47, which corrects the flaw in WebAppInstalls.

Risk and Exploitability

The CVSS score is not publicly disclosed, and the EPSS score is unavailable, but the flaw is not listed in CISA’s KEV catalog. Based on Chromium’s medium severity rating, the same‑origin bypass poses a moderate to high risk for confidentiality and integrity if an attacker can deliver the crafted page to a targeted user. The likely attack vector is a remotely crafted HTML page served over the web to the victim’s browser, exploiting the missing access control in WebAppInstalls. No exploitation examples have been reported, so the exploitation probability remains uncertain, though the underlying weakness is significant.

Generated by OpenCVE AI on July 1, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later.
  • If instant patching is not feasible, disable the Web App Installs feature via enterprise policy or Chrome flags to prevent the exploit path.
  • Continuously monitor security advisories for additional mitigation guidance.

Generated by OpenCVE AI on July 1, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via WebAppInstalls in Google Chrome
Weaknesses CWE-284

Wed, 01 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Title Chrome WebAppInstalls Same‑Origin Policy Bypass via Crafted HTML Page
Weaknesses CWE-284

Wed, 01 Jul 2026 02:00:00 +0000

Type Values Removed Values Added
Title Chrome WebAppInstalls Same‑Origin Policy Bypass via Crafted HTML Page
Weaknesses CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:07.465Z

Reserved: 2026-06-29T23:03:41.085Z

Link: CVE-2026-13881

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T12:30:17Z

Weaknesses