Description
Insufficient validation of untrusted input in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an insufficient validation of untrusted input within Blink in Google Chrome before version 150.0.7871.47. This weakness, identified as CWE‑20, permits a remote adversary to create a specially crafted web page that tricks the browser into treating cross‑origin content as if it were same‑origin. If exploited, the attacker could read or modify data belonging to other origins, enabling credential theft or other data‑exfiltration attacks.

Affected Systems

The vulnerability affects Google Chrome browsers running any version earlier than 150.0.7871.47. No other products or vendors are known to be impacted.

Risk and Exploitability

The problem is rated as a medium severity issue. The exploitation would require a victim to visit a maliciously constructed HTML page, which is a common technique for phishing or drive‑by attacks. EPSS data is not available, and the flaw is not listed in CISA’s KEV catalog, but the potential impact on confidentiality and integrity is significant because the same‑origin policy is a cornerstone of web security. The attacker may gain persistent access to session cookies or other sensitive information belonging to different origins.

Generated by OpenCVE AI on July 1, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or newer
  • Configure a strict Content‑Security‑Policy to restrict cross‑origin resource loading
  • Monitor user agents for unusual navigation or scripting patterns originating from untrusted sources

Generated by OpenCVE AI on July 1, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title Remote Same Origin Policy Bypass via Untrusted Input in Blink

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:36.224Z

Reserved: 2026-06-29T23:04:01.967Z

Link: CVE-2026-13959

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-20

    Improper Input Validation