Description
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Chrome for iOS exposes cross-origin data when a user performs certain UI gestures on a crafted web page. The vulnerability allows a remote attacker to obtain sensitive information from another origin via a malicious HTML page. The impact is primarily confidentiality loss, as data such as cookies, local storage, or other secrets can be leaked to an attacker. No remote code execution or direct system compromise is reported.

Affected Systems

Google Chrome for iOS versions earlier than 150.0.7871.47 are affected.

Risk and Exploitability

The CVSS score is not listed, and the EPSS score is unavailable, indicating limited publicly available metrics for exploitation likelihood. The vulnerability is not featured in the CISA KEV catalog. Attack steps likely involve a malicious web page convincing a user to perform intricate UI gestures, which then triggers the data leak. While exploitation requires user interaction, the moderate severity suggests that this vulnerability is a notable risk to confidentiality for affected users.

Generated by OpenCVE AI on July 1, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Chrome for iOS update to 150.0.7871.47 or later as released by Google.
  • Avoid performing unexpected or suspicious UI gestures on unfamiliar web pages, especially those that prompt the browser to access cross-origin data.
  • Use Chrome’s security prompts to block insecure or mixed content when possible, reducing the chance that cross-origin data can be copied by a malicious page.

Generated by OpenCVE AI on July 1, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 01 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross-origin Data Leak via UI Gestures in Chrome for iOS
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:11.490Z

Reserved: 2026-06-29T23:03:43.731Z

Link: CVE-2026-13892

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:15:15Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor