Description
Inappropriate implementation in History in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Google Chrome versions prior to 150.0.7871.47, an incorrect implementation of the History API allows a remote attacker to craft an HTML page that triggers UI spoofing. The flaw can cause a legitimate webpage to be rendered with misleading content or to redirect users to malicious destinations, potentially leading to phishing or other deceptive attacks. The weakness aligns with CWE‑79, indicating an improper handling of user-supplied content that can be leveraged for manipulation.

Affected Systems

The vulnerability affects Google Chrome running on any platform where the browser version is older than 150.0.7871.47. This includes all desktop and mobile builds that have not yet applied the update released in the June 2026 stable channel update. Users and administrators should verify the installed Chrome version to confirm whether remediation is required.

Risk and Exploitability

The CVSS score for this issue is categorized as Medium, and the EPSS score is not available, suggesting current exploitation data is limited. The vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been identified as a high‑profile exploited issue. Attackers need only deliver a crafted HTML page to a user to trigger the UI spoofing; local privilege or network access is not a prerequisite. Because the attack vector relies on a user opening the malicious page, the risk is mitigated by user awareness, but organizations should still prioritize patching to eliminate the flaw.

Generated by OpenCVE AI on July 1, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or later, following the release notes provided by Google.
  • If using Chrome Enterprise, deploy a policy to restrict or disable the use of the History API for navigation changes, limiting potential spoofing vectors.
  • Review and re‑authorize any extensions or scripts that rely on the History API after the update to ensure no legacy code remains that could reintroduce the vulnerability.

Generated by OpenCVE AI on July 1, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Title UI Spoofing via History API in Google Chrome Prior to 150.0.7871.47
Weaknesses CWE-79

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via History API in Google Chrome Prior to 150.0.7871.47
Weaknesses CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in History in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:38.830Z

Reserved: 2026-06-29T23:04:03.697Z

Link: CVE-2026-13966

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:30:17Z

Weaknesses

No weakness.