Description
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insufficient validation of untrusted input occurs in the WebAppInstalls feature of Google Chrome prior to version 150.0.7871.47. Because the application fails to properly filter or sanitize input embedded in a crafted HTML page, a remote attacker can construct a malicious document that bypasses normal input checks and injects code. This flaw allows the attacker to execute arbitrary code inside Chrome’s sandbox environment, which, while isolated from the operating system, compromises the confidentiality and integrity of the browser’s internal state and can be leveraged for further attacks such as privilege escalation or data exfiltration. The weakness is a classic example of Input Validation failure, classified as CWE-20.

Affected Systems

The vulnerability affects Google Chrome running on desktop platforms. All users of Chrome versions earlier than 150.0.7871.47 are potentially impacted, regardless of operating system. The issue is specific to the WebAppInstalls component and does not currently affect other Chrome modules.

Risk and Exploitability

There is no published EPSS score, and the vulnerability is not listed in CISA’s KEV catalog. The flaw permits remote execution of arbitrary code via a crafted HTML page, but Chromium flags its security severity as Low. The remote attacker can target users by hosting a malicious web page that exploits the WebAppInstalls component; once executed, the code runs inside Chrome’s sandbox, limiting OS impact but still compromising browser data and potentially enabling lateral privilege escalation. Due to the lack of public exploitation records and the low severity rating, the overall exploitation risk is considered moderate, but prompt patching is still advised.

Generated by OpenCVE AI on July 1, 2026 at 04:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later, ensuring the WebAppInstalls input validation is fixed.
  • If an immediate update is not possible, disable or remove the WebAppInstalls feature via Chrome policies or disable the relevant flag to eliminate the entry point.
  • Consider implementing additional web content filtering at the network or device level to block delivery of malicious HTML content targeting Chrome users.

Generated by OpenCVE AI on July 1, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:15:00 +0000

Type Values Removed Values Added
Title Insufficient Web Application Install Input Validation Allows Remote Code Execution

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:28.540Z

Reserved: 2026-06-29T23:11:42.979Z

Link: CVE-2026-14104

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T05:00:07Z

Weaknesses
  • CWE-20

    Improper Input Validation