Description
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Paint implementation within Google Chrome prior to version 150.0.7871.47 and permits a remote attacker to create deceptive user interface elements through a specially crafted HTML page. This flaw is classified by Chromium security as medium severity, indicating that a successful exploit could mislead users into interacting with false UI elements, potentially leading to credential theft or other social engineering attacks.

Affected Systems

The issue affects all Chrome releases prior to 150.0.7871.47 across all platforms. Users who have not installed the latest stable update are exposed.

Risk and Exploitability

No EPSS score is available for this vulnerability and it is not included in the CISA KEV catalog. Chromium indicates the severity as Medium, suggesting that exploitation is plausible but there is no publicly documented exploit. The attack would require a malicious webpage loaded in Chrome, and the attacker would rely on the UI spoofing to trick the user.

Generated by OpenCVE AI on July 1, 2026 at 02:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 150.0.7871.47 or later.
  • Configure a strict Content Security Policy that disallows inline scripts and restricts the use of the Paint API for untrusted origins.
  • Ensure Chrome’s built‑in sandboxing features are enabled and regularly verify that automatic updates are functioning on all user devices.

Generated by OpenCVE AI on July 1, 2026 at 02:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:45:00 +0000

Type Values Removed Values Added
Title Chrome Paint UI Spoofing via Crafted HTML
Weaknesses CWE-965

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:38:56.551Z

Reserved: 2026-06-29T23:04:18.449Z

Link: CVE-2026-14014

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:30:16Z

Weaknesses