Description
Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can exploit insufficient validation of untrusted input in the WebXR feature of Google Chrome to bypass navigation restrictions by serving a specially crafted HTML page. The flaw allows the attacker to redirect the user to arbitrary URLs, potentially leading to phishing or other malicious content. This represents a weakness in input validation and authorization control, permitting unauthorized navigation flows that the browser should have prevented.

Affected Systems

Google Chrome web browsers on all releases prior to version 150.0.7871.47 are vulnerable. Chromes that have not applied the 150.0.7871.47 update remain at risk.

Risk and Exploitability

The severity is classified as low, with the Chrome security team rating it low and the EPSS score not available. The flaw is not listed in the CISA KEV catalog. The attack vector is remote, via a crafted web page served to a user’s browser. No elevated privileges or system access are needed beyond rendering the page. Given the lack of publicly disclosed exploits, the likelihood of widespread exploitation remains modest.

Generated by OpenCVE AI on July 1, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later
  • Disable the WebXR feature if it is not required via chrome://flags
  • Ensure Chrome auto‑update is enabled so future security patches are installed promptly

Generated by OpenCVE AI on July 1, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:15:00 +0000

Type Values Removed Values Added
Title WebXR Untrusted Input Exposes Navigation Restriction Bypass
Weaknesses CWE-20
CWE-284

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:17.348Z

Reserved: 2026-06-29T23:11:36.679Z

Link: CVE-2026-14073

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T04:00:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-284

    Improper Access Control