Description
Insufficient policy enforcement in Parser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient policy enforcement in the browser’s parser allowed a remote attacker to deliver a crafted HTML page that bypassed content security policy. This could enable the execution of arbitrary scripts on a victim’s machine, leading to cross‑site scripting attacks and potential theft or alteration of data.

Affected Systems

All releases of Google Chrome up to and including 150.0.7871.46 are vulnerable. Versions 150.0.7871.47 and later contain the fix.

Risk and Exploitability

The flaw is rated low in Chromium’s own severity, and the EPSS score is not available, but it is publicly known and not listed in CISA KEV. Because the vulnerability can be triggered by any web page that a user visits, the attack vector is likely exposed to the general public via malicious sites. While the practical impact depends on the victim’s site policies, the risk remains in any scenario where the policy could be circumvented to inject script. The lack of a known exploit in the wild suggests the likelihood of immediate exploitation is low, but the vulnerability remains resolvable by updating the browser.

Generated by OpenCVE AI on July 1, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest stable Chrome release (150.0.7871.47 or newer).
  • If an update cannot be applied immediately, configure the browser to enforce a stricter content security policy or use an extension that blocks third‑party scripts.
  • Augment the web site’s server‑side CSP headers to tightly restrict script sources and namespaces to reduce the attack surface.

Generated by OpenCVE AI on July 1, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title Bypass of Content Security Policy via Crafted HTML Page in Chrome
Weaknesses CWE-639

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Parser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:12.014Z

Reserved: 2026-06-29T23:11:33.667Z

Link: CVE-2026-14058

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T02:00:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key