Impact
In Google Chrome versions prior to 150.0.7871.47, an incorrect implementation of the History API allows a remote attacker to craft an HTML page that triggers UI spoofing. The flaw can cause a legitimate webpage to be rendered with misleading content or to redirect users to malicious destinations, potentially leading to phishing or other deceptive attacks. The weakness aligns with CWE‑79, indicating an improper handling of user-supplied content that can be leveraged for manipulation.
Affected Systems
The vulnerability affects Google Chrome running on any platform where the browser version is older than 150.0.7871.47. This includes all desktop and mobile builds that have not yet applied the update released in the June 2026 stable channel update. Users and administrators should verify the installed Chrome version to confirm whether remediation is required.
Risk and Exploitability
The CVSS score for this issue is categorized as Medium, and the EPSS score is not available, suggesting current exploitation data is limited. The vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been identified as a high‑profile exploited issue. Attackers need only deliver a crafted HTML page to a user to trigger the UI spoofing; local privilege or network access is not a prerequisite. Because the attack vector relies on a user opening the malicious page, the risk is mitigated by user awareness, but organizations should still prioritize patching to eliminate the flaw.
OpenCVE Enrichment