Description
Insufficient policy enforcement in Autofill in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the Autofill feature of Google Chrome on iOS before version 150.0.7871.47 permits a remote attacker to cause the browser to leak cross‑origin data. By convincing a user to perform specific, user‑initiated UI gestures on a crafted web page, the attacker can extract information that should be isolated to other origins. The published severity for this issue is labeled medium, indicating a noticeable risk to privacy but not a direct compromise of system integrity or availability.

Affected Systems

The vulnerable product is Google Chrome on iOS. All releases earlier than 150.0.7871.47 are affected; versions 150.0.7871.47 and newer include the fix.

Risk and Exploitability

The CVSS rating describes a medium‑severity flaw; exploitation requires the victim to interact with a malicious page, implying a user‑interaction prerequisite. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. While the attack vector is remote (user loaded page), the need for user gestures lowers the likelihood of automated exploitation but does not eliminate it.

Generated by OpenCVE AI on July 1, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on iOS to version 150.0.7871.47 or later.
  • Disable Autofill entirely if an update is not possible.
  • Avoid interacting with untrusted web pages that prompt for autofill gestures.

Generated by OpenCVE AI on July 1, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:15:00 +0000

Type Values Removed Values Added
Title Cross-Origin Data Leak via Autofill in Google Chrome on iOS
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Autofill in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:19.270Z

Reserved: 2026-06-29T23:03:50.647Z

Link: CVE-2026-13913

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:00:12Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor