Description
Inappropriate implementation in WebGL in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in WebGL handling within Google Chrome, prior to version 150.0.7871.115, permits an attacker to inject arbitrary scripts or HTML through a crafted webpage. This injection can execute malicious code in the context of the victim’s browser, compromising the confidentiality, integrity, and availability of data accessed by the page. The issue is classified by Chromium security as high severity, indicating that affected users face serious risks if the vulnerability is exploited.

Affected Systems

All users of Google Chrome whose browser version is earlier than 150.0.7871.115 are affected. The vulnerability is tied specifically to the Chrome product from Google.

Risk and Exploitability

The vulnerability can be triggered remotely by delivering a maliciously crafted HTML page to a user who opens it in the affected browser. Although no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, its high severity rating and the ability to execute code suggest a significant risk if exploited. No additional conditions or credentials are required to exploit the flaw; any user browsing a malicious page could be impacted.

Generated by OpenCVE AI on July 9, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.115 or later, which includes the fix for the WebGL injection bug.
  • If an update cannot be applied immediately, disable WebGL by navigating to chrome://flags and turning off the WebGL option, or block WebGL via a browser extension.
  • Implement strict Content Security Policy headers on sites that render user‑generated content to mitigate the impact of any remaining injection vectors.

Generated by OpenCVE AI on July 9, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title WebGL Arbitrary Script Injection in Google Chrome
Weaknesses CWE-79

Thu, 09 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebGL in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-08T22:36:05.220Z

Reserved: 2026-07-08T17:07:43.731Z

Link: CVE-2026-15127

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T03:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')