Description
Inappropriate implementation in PerformanceAPIs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper implementation of Chrome’s PerformanceAPIs permits a remote attacker who delivers a crafted HTML page to the victim to read data originating from a different origin. The flaw could lead to the disclosure of confidential or sensitive information, representing a breach of confidentiality but not directly compromising system integrity or availability.

Affected Systems

Versions of Google Chrome released before 150.0.7871.47 are affected. The vulnerability resides in the PerformanceAPIs module of the browser and is triggered by a maliciously crafted web page whose source is controlled by the attacker.

Risk and Exploitability

The official Chromium severity for this issue is Medium, and no EPSS score is available. The problem is not listed in the CISA KEV catalog. Exploitation requires a victim to load a malicious page in the victim’s browser, which is a typical web‑based attack scenario. While the exact likelihood of remote exploitation cannot be quantified without an EPSS value, the lack of immediate patching exposes users to potential data leakage from other origins.

Generated by OpenCVE AI on July 1, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Chrome version 150.0.7871.47 or newer to contain the fix.
  • Configure Chrome Enterprise policy to disable PerformanceAPI usage.
  • Use web‑filtering or URL‑blocking controls to stop access to sites that host malicious pages designed to exploit this defect.

Generated by OpenCVE AI on July 1, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title Cross‑origin Data Leak via PerformanceAPIs Vulnerability
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in PerformanceAPIs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:33.662Z

Reserved: 2026-06-29T23:04:00.213Z

Link: CVE-2026-13952

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor