Description
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
Published: 2026-06-30
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in Google Chrome’s DevTools prior to version 150.0.7871.47 allows an attacker who convinces a user to install a malicious extension to perform UI spoofing through a crafted Chrome Extension. The flaw enables the attacker to alter the appearance of the browser’s user interface, potentially misleading the user into performing actions they intend to avoid. The vulnerability is categorized under low severity by Chromium, indicating limited impact when properly mitigated.

Affected Systems

Any user of Google Chrome versions earlier than 150.0.7871.47 who installs a malicious extension. The affected product is Chrome for desktop platforms. No additional vendor or product variants are listed.

Risk and Exploitability

The attack vector is likely user manipulation: the attacker must persuade a user to install a malicious extension. Because the flaw resides in the DevTools context, exploitation does not require network-level access or elevated privileges. No public exploits are currently listed and the EPSS score is unavailable, suggesting low probability of widespread exploitation. The vulnerability is not registered in the CISA KEV catalog, further indicating limited immediate threat. However, the possibility of UI deception raises concern for user trust and phishing potential. Mitigation is primarily through updating to the patched Chrome release.

Generated by OpenCVE AI on July 1, 2026 at 03:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.47 or later
  • Disable remote debugging settings in Chrome DevTools
  • Only install extensions from trusted, verified sources

Generated by OpenCVE AI on July 1, 2026 at 03:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:45:00 +0000

Type Values Removed Values Added
Title Chrome DevTools UI Spoofing via Malicious Extension
Weaknesses CWE-200

Wed, 01 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-01T01:48:40.560Z

Reserved: 2026-06-29T23:11:52.670Z

Link: CVE-2026-14154

cve-icon Vulnrichment

Updated: 2026-07-01T01:48:35.287Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:30:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information