Impact
An inappropriate implementation in the File Input component of Google Chrome before version 150.0.7871.47 allows a remote attacker to execute UI spoofing by delivering a crafted HTML page. The flaw does not provide code execution or data exfiltration, but enables the attacker to trick a user into interacting with a counterfeit user interface that may appear to come from a trusted source. The Chromium security team rated this as low severity, indicating limited direct damage beyond misleading users. The vulnerability is exploited solely through a malicious webpage viewed in the victim’s browser, so it requires social engineering to trigger.
Affected Systems
All installations of Google Chrome with a revision older than 150.0.7871.47 are affected. This includes the stable, beta, dev, and canary channels prior to any update that includes the fixed 150.0.7871.47 build. No other operating systems or browser brands are cited as impacted.
Risk and Exploitability
The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently a high‑profile target. The CVSS score is not published in the available data, but the low severity rating and lack of exploitation reports imply a modest risk profile. An attacker must first entice a user to visit a malicious webpage with a crafted file input, and then rely on user interaction with the spoofed UI to achieve the desired misdirection. Given these prerequisites, the overall exploitation likelihood is relatively low.
OpenCVE Enrichment