Description
Inappropriate implementation in DataTransfer in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An implementation defect in Chrome’s DataTransfer handling on macOS allows a remote attacker to trick a user into performing specific UI gestures on a crafted web page, resulting in the accidental leakage of data shared across origin boundaries. The flaw does not give the attacker direct execution or remote code privileges; instead it exploits improper access controls within the browser’s internal data transfer mechanisms to expose sensitive information to a malicious site. Consequently, confidential data such as clipboard contents or drag‑drop data can be disclosed to a third‑party origin, undermining data confidentiality for users that interact with affected pages.

Affected Systems

Google Chrome for macOS installations with versions prior to 150.0.7871.47 are vulnerable. Users of older Chrome releases on macOS devices are at risk until they upgrade to the patched version or a later release that contains the fix.

Risk and Exploitability

The CVSS severity is listed as Medium; the EPSS score is not yet available, indicating insufficient current evidence of widespread exploitation. The vulnerability is not included in CISA’s KEV catalog. Exploitation requires a user to be convinced to execute specific UI gestures, implying the attack vector relies on social engineering and user interaction rather than a purely automatic remote trigger. Given these constraints, the immediate operational risk is moderate but can still lead to unintended data exposure if users fall victim to a phishing‑style prompt.

Generated by OpenCVE AI on July 1, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later, ensuring the DataTransfer bug is fixed.
  • Configure the browser to auto‑update or schedule regular checks of Chrome’s release notes to apply security patches promptly.
  • Educate users about the risk of accepting suspicious UI gestures or dragging and dropping data between sites, and discourage interaction with untrusted web pages that may attempt to exploit this flaw.

Generated by OpenCVE AI on July 1, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Cross-Origin Data Leak via DataTransfer Bug in Chrome for Mac
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DataTransfer in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:30.760Z

Reserved: 2026-06-29T23:03:58.260Z

Link: CVE-2026-13944

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor