Impact
An inappropriate implementation in the Omnibox component of Google Chrome on iOS allows a remote attacker to inject arbitrary scripts or HTML into a page if the user follows specific UI gestures prompted by the attacker. The injected content is executed within the web page’s context, resulting in a user‑engagement based UXSS vulnerability. The Chromium security severity for this vulnerability is classified as low.
Affected Systems
Google Chrome browsers on iOS devices with versions earlier than 150.0.7871.47 are affected. Users on the stable channel before the June 2026 update that introduced version 150.0.7871.47 are at risk.
Risk and Exploitability
The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating limited public exploitation data. The attack requires the attacker to persuade a user to carry out particular UI gestures, implying a social‑engineering component. Once executed, the injected JavaScript could compromise the user’s browsing session within the affected page. No further exploitation details are disclosed in the CVE description.
OpenCVE Enrichment