Impact
Insufficient validation of user-supplied input in Chrome’s WebAppInstalls component allowed a local attacker to craft an HTML page that bypasses the browser’s same-origin policy. By injecting this content, the attacker could read or manipulate data belonging to a different origin, potentially exposing sensitive information or executing arbitrary scripts. The weakness maps to CWE‑20, reflecting incorrect input validation.
Affected Systems
Google Chrome for Android, versions prior to 150.0.7871.115. The vulnerability is specific to the WebAppInstalls feature and is not present in later releases.
Risk and Exploitability
The flaw is classified as high severity and requires local access on the device. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly confirmed exploitation reports yet. Nonetheless, the local nature of the attack and the potential for cross‑origin data leakage present a significant risk to any user who can run malicious local content.
OpenCVE Enrichment