Description
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Omnibox component of Google Chrome on iOS allows a remote attacker to inject arbitrary scripts or HTML into a page if the user follows specific UI gestures prompted by the attacker. The injected content is executed within the web page’s context, resulting in a user‑engagement based UXSS vulnerability. The Chromium security severity for this vulnerability is classified as low.

Affected Systems

Google Chrome browsers on iOS devices with versions earlier than 150.0.7871.47 are affected. Users on the stable channel before the June 2026 update that introduced version 150.0.7871.47 are at risk.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating limited public exploitation data. The attack requires the attacker to persuade a user to carry out particular UI gestures, implying a social‑engineering component. Once executed, the injected JavaScript could compromise the user’s browsing session within the affected page. No further exploitation details are disclosed in the CVE description.

Generated by OpenCVE AI on July 1, 2026 at 04:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome on iOS to version 150.0.7871.47 or later.
  • Avoid interacting with untrusted webpages that prompt unusual or repeated UI gestures.
  • Keep track of official Chrome release notes and security advisories for future updates.

Generated by OpenCVE AI on July 1, 2026 at 04:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:15:00 +0000

Type Values Removed Values Added
Title User-Engagement UXSS Vulnerability in Chrome iOS Omnibox
Weaknesses CWE-79

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:15.590Z

Reserved: 2026-06-29T23:11:35.657Z

Link: CVE-2026-14068

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')