Description
Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation of SVG in Google Chrome before version 150.0.7871.47 allows a remote attacker to deliver a crafted HTML page that forces the browser to render user interface elements that spoof the legitimate UI. The result is that a user can be deceived into interacting with a fake dialog, button or form that appears to belong to Chrome, creating the opportunity for credential theft or other phishing‑like exploitation.

Affected Systems

Google Chrome for desktop (Windows, macOS, Linux) versions prior to 150.0.7871.47. The issue affects the stable channel of Chrome and is applicable to any user who runs a pre‑150.0.7871.47 build and visits a crafted web page containing the vulnerable SVG content.

Risk and Exploitability

The vulnerability has a medium severity assessment from Chromium and no known indicated by the lack of a KEV listing and the unavailable EPSS score. The likely attack vector is remote, via an HTTP or HTTPS web page that hosts malicious SVG content, and requires only the victim to load the page in Chrome. Because the flaw does not expose administrative or elevated privileges, its immediate impact is limited to UI deception, but if users unknowingly provide credentials or sensitive data to the spoofed interface.

Generated by OpenCVE AI on July 1, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or newer. This is the recommended remediation from Google.
  • If an immediate upgrade is not feasible, restrict external SVG content by applying Chrome’s enterprise or disable SVG rendering on untrusted sites. This reduces the window in which the UI spoofing can be delivered.
  • Educate users to be cautious of unexpected prompts or form fields that appear to be part of Chrome, and to verify that the browser’s UI elements match the expected appearance. In addition, monitor for unusual UI rendering behavior in consistent ways that might signal attempts to deliver malicious SVG.

Generated by OpenCVE AI on July 1, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Title Remote UI Spoofing via Improper SVG Rendering in Chrome
Weaknesses CWE-200

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:56.172Z

Reserved: 2026-06-29T23:04:18.208Z

Link: CVE-2026-14013

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:15:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor