Description
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate handling of form data in Google Chrome before version 150.0.7871.115 permits a malicious web page to cause the browser to execute arbitrary code within its sandbox. The vulnerability is a form‑related bug that can lead to the compromise of executable context while still maintaining the sandbox boundaries, effectively allowing the attacker to trigger code that runs with the privileges of the user’s Chrome process. Because browsers enforce integrity and confidentiality boundaries through sandboxing, a successful exploit would likely give the attacker significant control over the victim’s system, including the ability to read files, modify settings, and carry out further attacks. The weakness is consistent with code injection or improper input validation defects (CWE‑94).

Affected Systems

The flaw affects Google Chrome installed on desktop operating systems that had not yet updated to version 150.0.7871.115 or any later revision addressing the issue. No specific operating systems are mentioned, but the vulnerability exists in the desktop Chrome browser across all supported platforms until the security patch is applied.

Risk and Exploitability

The attack vector is inferred to be remote; an attacker simply needs to serve a crafted HTML page that the user visits, which can then exploit the flaw. The Chromium security team has classified the issue as high severity, indicating a potentially serious impact. At present no EPSS score is published and the vulnerability is not listed in the CISA KEV catalog, suggesting that active exploitation may not yet be widespread. Nonetheless, the combination of high severity and the ability to trigger remote code execution within a user’s browser session warrants immediate attention and patching. The CVSS score is not provided in the public data, but the high severity rating alone signals a significant risk.

Generated by OpenCVE AI on July 9, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 150.0.7871.115 or newer as released by Google
  • Enforce Chrome update policies (e.g., Windows Group Policy or macOS MDM) to ensure all endpoints receive the patch promptly
  • If an immediate update is not feasible, block or restrict access to form elements on untrusted sites via your organization’s web filtering or Chrome policy settings until the vulnerability is fully patched

Generated by OpenCVE AI on July 9, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Inadequate Form Handling Leads to Remote Code Execution in Chrome
Weaknesses CWE-94

Thu, 09 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-08T22:36:04.563Z

Reserved: 2026-07-08T17:07:43.236Z

Link: CVE-2026-15125

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')