Description
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in Chrome extensions prior to version 150.0.7871.47 allows an attacker who persuades a user to install a malicious extension to perform user interface spoofing. The flaw lets a crafted extension replicate or modify UI elements, potentially enabling phishing or credential theft. The Chromium team rates the severity as medium, indicating that the issue primarily undermines user trust rather than providing a direct code‑execution path.

Affected Systems

All users of the Google Chrome desktop browser running any version older than 150.0.7871.47 are affected. The threat does not apply to Chrome for Android or Chrome OS. Versions .0.7871.47 and newer include the fixing policy enforcement and are considered safe until further notice.

Risk and Exploitability

Based on the description, it is inferred that the attack requires a social‑engineering step whereby the user installs the malicious extension; no network or privileged access is needed. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently being actively exploited. Nonetheless, the potential for phishing or credential theft gives the flaw a moderate impact level.

Generated by OpenCVE AI on July 1, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 150.0.7871.47 or newer to apply the fixed policy enforcement.
  • If the vulnerability is present, uninstall or disable any extensions that were installed before the update, especially those with unnecessary permissions.
  • Enforce extension installation policies to allow only extensions from the Chrome Web Store or trusted vendors, and enable Safe Browsing and extension reporting to detect suspicious activity.

Generated by OpenCVE AI on July 1, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Malicious Chrome Extension due to Insufficient Policy Enforcement
Weaknesses CWE-272
CWE-279

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:32.207Z

Reserved: 2026-06-29T23:03:59.224Z

Link: CVE-2026-13948

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:30:06Z

Weaknesses
  • CWE-272

    Least Privilege Violation

  • CWE-279

    Incorrect Execution-Assigned Permissions