Description
Inappropriate implementation in SiteSettings in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Chrome’s SiteSettings on Android allows a remote attacker to deliver a crafted HTML page that modifies the browser’s user interface, creating a deceptive environment that can trick users into taking unintended actions. The vulnerability was assigned a medium severity by Chromium, meaning that while it does not directly expose data or cause widespread impact, it provides a vector for phishing or social‑engineering attacks. The primary consequence is the potential to harvest sensitive information or credentials from users who are led to believe they are interacting with a legitimate site.

Affected Systems

Google Chrome on Android versions prior to 150.0.7871.47 are affected. No other browsers or platforms are listed as vulnerable.

Risk and Exploitability

The exploit requires a remote attacker to serve a malicious web page that the user eventually visits; no local compromise is necessary. The EPSS score is not available, and Chrome is not listed in the CISA KEV catalog, indicating that no public active exploitation has been observed. The CVSS score is not supplied, but the medium severity rating suggests a non‑critical yet exploitable weakness. Attackers with a malicious web page can fool users into misrepresenting the intended UI, potentially leading to credential theft or unintended actions. In the absence of a public exploit, the risk remains theoretical but should not be underestimated given the ease of hosting malicious pages.

Generated by OpenCVE AI on July 1, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 150.0.7871.47 or later, ensuring that the latest security patches are applied.
  • Configure Chrome to automatically download and install updates, removing any user‑controlled override that might delay the patch.
  • If possible, apply enterprise policy to restrict modifications to SiteSettings for untrusted origins, limiting the ability of web pages to alter the UI unexpectedly.

Generated by OpenCVE AI on July 1, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Improper SiteSettings Validation in Android Chrome
Weaknesses CWE-285
CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in SiteSettings in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:29.655Z

Reserved: 2026-06-29T23:03:57.550Z

Link: CVE-2026-13941

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')