Impact
This vulnerability stems from an improper handling of form input in Google Chrome before version 150.0.7871.115, allowing an attacker to embed arbitrary scripts or HTML into a crafted HTML page. If the victim opens or interacts with such a page, the injected code runs within the browser context, potentially enabling data theft, session hijacking, or malware installation. The weakness classifies as HTML injection, directly compromising the integrity of the browser’s execution environment. No additional user interaction beyond viewing the page is required, making the impact immediate once the malicious content is loaded.
Affected Systems
The affected products are Google Chrome browsers running any release earlier than 150.0.7871.115 on any supported platform. Users on the stable channel of Chrome prior to this build are vulnerable. The advisory identifies this issue only for the stable channel, with the fix applied in build 150.0.7871.115.
Risk and Exploitability
The CVSS score is as high, indicating significant severity. The EPSS score is not available, so the current probability of exploitation is unknown, but the absence of a known exploit in the CISA KEV catalog suggests the situation is not yet confirmed in active exploitation campaigns. Attackers could deliver a crafted HTML page through any medium that causes the user to load it, such as malicious emails, compromised websites, or local file access. Once loaded, the injection enables execution of arbitrary JavaScript in the browser, effectively compromising the user session. While no public exploit is noted, the high severity and potential for widespread user exposure warrants prompt remediation.
OpenCVE Enrichment