Description
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-07-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from an improper handling of form input in Google Chrome before version 150.0.7871.115, allowing an attacker to embed arbitrary scripts or HTML into a crafted HTML page. If the victim opens or interacts with such a page, the injected code runs within the browser context, potentially enabling data theft, session hijacking, or malware installation. The weakness classifies as HTML injection, directly compromising the integrity of the browser’s execution environment. No additional user interaction beyond viewing the page is required, making the impact immediate once the malicious content is loaded.

Affected Systems

The affected products are Google Chrome browsers running any release earlier than 150.0.7871.115 on any supported platform. Users on the stable channel of Chrome prior to this build are vulnerable. The advisory identifies this issue only for the stable channel, with the fix applied in build 150.0.7871.115.

Risk and Exploitability

The CVSS score is as high, indicating significant severity. The EPSS score is not available, so the current probability of exploitation is unknown, but the absence of a known exploit in the CISA KEV catalog suggests the situation is not yet confirmed in active exploitation campaigns. Attackers could deliver a crafted HTML page through any medium that causes the user to load it, such as malicious emails, compromised websites, or local file access. Once loaded, the injection enables execution of arbitrary JavaScript in the browser, effectively compromising the user session. While no public exploit is noted, the high severity and potential for widespread user exposure warrants prompt remediation.

Generated by OpenCVE AI on July 9, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.115 or newer
  • Ensure all users receive the latest stable update through automatic update mechanisms or enterprise policy
  • Configure Chrome policies or content security settings to restrict JavaScript execution on untrusted content until the patch is applied

Generated by OpenCVE AI on July 9, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Title Remote JavaScript Injection via Insecure Forms Handling in Chrome
Weaknesses CWE-79

Thu, 09 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-07-08T22:36:05.560Z

Reserved: 2026-07-08T17:07:43.967Z

Link: CVE-2026-15128

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T09:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')