Description
Insufficient validation of untrusted input in WebUI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is insufficient validation of untrusted input in the Chrome WebUI component. A remote attacker can supply malicious network traffic that causes Chrome to treat the traffic trusted input, enabling the browser to read and expose data from a different origin that should be protected. This leads to confidential data leakage, potentially giving attackers access to sensitive user information or secrets stored in the browser.

Affected Systems

The issue affects Google Chrome versions earlier than 150.0.7871.47, including all major releases up to that point. Any user running an affected Chrome build on a desktop platform is susceptible when the WebUI is active and exposed to untrusted network traffic.

Risk and Exploitability

The vulnerability is rated Medium by Chromium security, but no CVSS score is provided. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, indicating it has not been widely exploited yet. Nonetheless, a remote attacker could trigger the flaw by delivering malicious traffic that reaches the Chrome WebUI, making the risk moderate but still significant for organizations that rely on Chrome for secure browsing.

Generated by OpenCVE AI on July 1, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.47 or later, which implements proper input validation in the WebUI component.
  • If upgrade cannot be performed immediately, restrict Chrome’s access to untrusted network traffic by configuring firewall rules or using a network policy that blocks or isolates the compromised WebUI endpoints.
  • Audit Chrome logs or use security monitoring to detect abnormal network requests to WebUI interfaces and investigate any potential exploitation attempts.

Generated by OpenCVE AI on July 1, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leakage in Chrome WebUI due to Input Validation Failure

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebUI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:11.854Z

Reserved: 2026-06-29T23:03:43.974Z

Link: CVE-2026-13893

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:00:14Z

Weaknesses
  • CWE-20

    Improper Input Validation