Description
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Google Chrome’s DevTools allows a remote attacker to trick a user into performing specific UI gestures on a crafted web page, resulting in the leakage of cross‑origin data. The vulnerability exploits an inappropriate implementation that bypasses normal same‑origin restrictions, enabling the attacker to read sensitive information that would otherwise be inaccessible. The primary consequence is the disclosure of confidential data, potentially compromising user privacy or exposing proprietary information.

Affected Systems

The issue affects all desktop installations of Google Chrome versions prior to 150.0.7871.47, regardless of operating system. Any user running an affected build and traversing a maliciously crafted page while interacting with DevTools can be impacted.

Risk and Exploitability

The Chromium project rates the severity as medium, and the exploit requires user interaction via a crafted HTML page. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating it is not actively exploited at large scale. Nonetheless, the attack vector relies on social engineering to induce the required UI gestures, so the overall risk is moderate but non‑negligible for users who frequently inspect web pages with DevTools.

Generated by OpenCVE AI on July 1, 2026 at 01:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later
  • Disable or restrict access to DevTools via enterprise policy or Group Policy settings
  • Educate users to avoid performing unknown UI gestures when inspecting pages with DevTools

Generated by OpenCVE AI on July 1, 2026 at 01:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Title DevTools UI Gesture Leak Exposes Cross‑Origin Data in Google Chrome
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:37.661Z

Reserved: 2026-06-29T23:04:02.962Z

Link: CVE-2026-13963

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor