Impact
Insufficient policy enforcement in the browser’s parser allowed a remote attacker to deliver a crafted HTML page that bypassed content security policy. This could enable the execution of arbitrary scripts on a victim’s machine, leading to cross‑site scripting attacks and potential theft or alteration of data.
Affected Systems
All releases of Google Chrome up to and including 150.0.7871.46 are vulnerable. Versions 150.0.7871.47 and later contain the fix.
Risk and Exploitability
The flaw is rated low in Chromium’s own severity, and the EPSS score is not available, but it is publicly known and not listed in CISA KEV. Because the vulnerability can be triggered by any web page that a user visits, the attack vector is likely exposed to the general public via malicious sites. While the practical impact depends on the victim’s site policies, the risk remains in any scenario where the policy could be circumvented to inject script. The lack of a known exploit in the wild suggests the likelihood of immediate exploitation is low, but the vulnerability remains resolvable by updating the browser.
OpenCVE Enrichment