Description
Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an insufficient policy enforcement in the PageInfo component of Google Chrome that allows a remote attacker to craft a malicious HTML page to trick users into interacting with a user interface that appears legitimate but is actually deceptive. The primary consequence is that an attacker could lure a user into performing unintended actions or divulging information under false pretenses, exposing the user to phishing or related attacks. The official Chromium severity is Medium, indicating that while the flaw is non‑destructive, it has real potential to mislead users and facilitate social engineering.

Affected Systems

All installations of Google’s Chrome browser earlier than version 150.0.7871.47, on any supported operating system, were susceptible to this UI spoofing flaw. The remediation is a simple version upgrade, and the latest Chrome stable channel releases include the fix.

Risk and Exploitability

There is no EPSS score available for this vulnerability, and it is not listed in CISA’s KEV catalog, suggesting that it has not yet been widely exploited. Despite the lack of exploitation data, the vulnerability can be leveraged by an attacker who can host or embed a malicious page that a user visits, highlighting the importance of applying the vendor’s patch. The only known mitigations are through an update, and no publicly documented workaround exists at this time.

Generated by OpenCVE AI on July 1, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later
  • Ensure the Chrome update mechanism is enabled so the browser receives future security releases automatically
  • Provide user awareness training about the risks of UI spoofing and encourage them to verify unexpected UI prompts before taking action

Generated by OpenCVE AI on July 1, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Insufficient Policy Enforcement in Google Chrome
Weaknesses CWE-640

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:43.179Z

Reserved: 2026-06-29T23:04:06.823Z

Link: CVE-2026-13978

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:45:03Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password