Description
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chrome for iOS contains an implementation flaw that allows a remote attacker to trick a user into performing specific UI gestures while interacting with a crafted HTML page. When the user follows the attacker’s instructions, the Omnibox (URL bar) displays falsified text, which can cause the user to believe they are viewing or interacting with a different web page than intended. This attack enables social‑engineering based phishing or credential theft by obscuring the real destination of the browsing session. Based on the description, it is inferred that the weakness involves improper handling of user interface elements, which could be categorised under an input‑validation or UI‑spoofing type such as CWE‑74.

Affected Systems

The flaw affects Google Chrome on iOS versions earlier than 150.0.7871.47. Any device running the affected build is susceptible when a user opens a maliciously constructed web page that instructs UI gestures.

Risk and Exploitability

The CVSS score is not publicly available, and there is no EPSS value, indicating the risk assessment data has not been released. The vulnerability is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation at this time. However, the attack vector is remote via a crafted web page, and the need for the user to perform gestures creates a social‑engineering component. If the user follows the attacker’s cues, the Omnibox can be spoofed, potentially leading to phishing or credential theft.

Generated by OpenCVE AI on July 1, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome on iOS to version 150.0.7871.47 or later to obtain the vendor‑provided fix.
  • Regularly check the Google Chrome release blog or product update page to stay current with security patches.
  • Avoid performing unfamiliar UI gestures on web pages that you have not verified, and double‑check the URL in the Omnibox after interaction.

Generated by OpenCVE AI on July 1, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title Spoofing of Chrome for iOS Omnibox via Crafted HTML Page
Weaknesses CWE-74

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:58:59.124Z

Reserved: 2026-06-29T23:04:08.198Z

Link: CVE-2026-13983

cve-icon Vulnrichment

Updated: 2026-07-01T01:52:48.111Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:30:06Z

Weaknesses
  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information

  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')