Description
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.115 allowed a local attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of user-supplied input in Chrome’s WebAppInstalls component allowed a local attacker to craft an HTML page that bypasses the browser’s same-origin policy. By injecting this content, the attacker could read or manipulate data belonging to a different origin, potentially exposing sensitive information or executing arbitrary scripts. The weakness maps to CWE‑20, reflecting incorrect input validation.

Affected Systems

Google Chrome for Android, versions prior to 150.0.7871.115. The vulnerability is specific to the WebAppInstalls feature and is not present in later releases.

Risk and Exploitability

The flaw is classified as high severity and requires local access on the device. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly confirmed exploitation reports yet. Nonetheless, the local nature of the attack and the potential for cross‑origin data leakage present a significant risk to any user who can run malicious local content.

Generated by OpenCVE AI on July 9, 2026 at 08:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Chrome for Android version 150.0.7871.115 or newer. This patch implements proper input validation for WebAppInstalls.
  • If an immediate update is not possible, restrict users from loading content that could invoke WebAppInstalls by disabling or blocking that feature in browser settings or via device policy.
  • Implement a network or application firewall rule to block known malicious sites that might serve crafted pages designed to exploit the same‑origin policy breach.
  • Ensure proper DOM input validation is applied by developers integrating custom WebAppInstalls functionality, following CWE‑20 mitigation techniques.

Generated by OpenCVE AI on July 9, 2026 at 08:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Title Local Same-Origin Policy Bypass via WebAppInstalls Input Validation Failure in Android Chrome

Thu, 09 Jul 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.115 allowed a local attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-08T22:36:01.233Z

Reserved: 2026-07-08T17:07:40.716Z

Link: CVE-2026-15115

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T09:00:14Z

Weaknesses
  • CWE-20

    Improper Input Validation