Description
Inappropriate implementation in ScriptInjections in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the ScriptInjections component of Google Chrome on iOS allows a remote attacker to craft an HTML page that causes the browser to expose data from a different origin. The vulnerability enables the attacker to read information that should be protected by the same‑origin policy, potentially revealing sensitive user data, credentials, or other confidential content. The weakness stems from an insecure handling of script injection handling and can lead to information disclosure.

Affected Systems

The issue affects all users of Google Chrome on iOS devices running versions prior to 150.0.7871.47. In particular, iOS installations of Chrome that have not applied the stable channel update contain the vulnerable code. All users of this version on iOS are subject to the risk, including Enterprise and consumer deployments. No other products or platforms are listed as affected.

Risk and Exploitability

The vulnerability is rated as Medium in Chromium’s security severity, but exact CVSS metrics are not provided in the public record. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploits are known at this time. Based on the description, the likely attack vector is a malicious web page served to the victim’s device, so any user who visits a compromised site could trigger the data leak. Without requiring elevated privileges, the flaw can be exploited through normal browsing activity, making it a significant risk for users who may unknowingly visit malicious content.

Generated by OpenCVE AI on July 1, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome on iOS to version 150.0.7871.47 or later (as published in the Chrome Stable release channel update); this removes the vulnerable ScriptInjections implementation.
  • If an immediate update is not possible, disable JavaScript for cross‑origin content using website settings or content blocking extensions to reduce the exposure window until a patch is installed.
  • Monitor Apple and Google security advisories for any work‑arounds and apply any interim patches as they become available.

Generated by OpenCVE AI on July 1, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Script Injection in Chrome iOS
Weaknesses CWE-200
CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in ScriptInjections in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:31.500Z

Reserved: 2026-06-29T23:03:58.737Z

Link: CVE-2026-13946

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:00:12Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')