Description
Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in insufficient policy enforcement within Chrome’s Passwords component before version 150.0.7871.115, allowing a remote attacker to bypass the same‑origin policy. This can enable cross‑origin access to data that should be isolated, potentially leading to theft or manipulation of stored credentials and other sensitive information. The weakness is an improper access control flaw that undermines browser isolation guarantees.

Affected Systems

Google Chrome browsers running any firmware earlier than 150.0.7871.115 are affected. Users of the stable channel prior to this build are at risk, while all newer releases incorporate the fix.

Risk and Exploitability

The vulnerability carries a high Chromium severity rating. No EPSS value is available, and it is not listed in the CISA KEV catalog, suggesting low publicly known exploitation evidence. However, a remote attacker can craft a malicious HTML page and deliver it via any vector that delivers web content to the browser, making the attack feasible when users visit or open such pages. The absence of a published workaround and low exploitation probability do not mitigate the inherent risk of the flaw.

Generated by OpenCVE AI on July 9, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.115 or later.
  • Restrict intake of untrusted HTML content within the organization by enforcing stricter web‑server controls and limiting access to potentially malicious internal pages.
  • Continuously monitor browsing activity and employ security solutions that detect anomalous same‑origin policy violations.

Generated by OpenCVE AI on July 9, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Same‑Origin Policy Bypass via Crafted HTML Page in Chrome Passwords
Weaknesses CWE-284
CWE-285

Thu, 09 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-08T22:36:04.239Z

Reserved: 2026-07-08T17:07:42.988Z

Link: CVE-2026-15124

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses