Description
Inappropriate implementation in HTMLParser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper implementation of the HTML parser in Chrome that allows a remote attacker to inject and execute arbitrary scripts or HTML through a specially crafted page. This flaw can enable cross‑site scripting (XSS) attacks, potentially leading to the execution of malicious code within the context of a user’s browser session. The vulnerability is classified as medium severity by Chromium’s internal scoring and is tied to CWE‑79.

Affected Systems

Affected browsers are Google Chrome versions prior to 150.0.7871.47. The issue applies to all operating systems that run this older Chrome build; the CNA list simply lists Google:Chrome. Users who have not yet upgraded remain vulnerable.

Risk and Exploitability

No CVSS score or EPSS estimate is published, but the medium severity rating and the fact that an attacker can trigger the flaw by presenting a crafted page suggest a moderate to high exploitation risk. The vulnerability is not currently listed in CISA’s KEV catalog, and no official workaround is available, so exposure can only be mitigated by applying the product update. Attackers can deliver the exploit via any web page, email attachment, or malicious link that a user visits.

Generated by OpenCVE AI on July 1, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome release that includes the HTMLParser fix (150.0.7871.47 or later).
  • Ensure automatic updates are enabled on all devices so future security patches are applied promptly.
  • Apply an enterprise policy or web‑filtering solution that blocks navigation to untrusted sites or malicious content to reduce the chance of delivery of crafted pages.

Generated by OpenCVE AI on July 1, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title HTMLParser Vulnerability Enabling Arbitrary Script Injection
Weaknesses CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in HTMLParser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:42.817Z

Reserved: 2026-06-29T23:04:06.570Z

Link: CVE-2026-13977

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')