An inappropriate implementation of the file‑input element in Google Chrome allows a remote attacker who can persuade a user to perform specific UI gestures to perform UI spoofing via a specially crafted web page. Based on the description, it is inferred that the attacker must engage a user in simple clicking or selecting actions on the page. The attacker can hijack the user’s attention and force the browser to display a misleading file‑picker or similar UI, potentially making the user believe they are interacting with a legitimate element while the attacker controls it. This flaw has a Medium severity rating in Chromium and does not provide arbitrary code execution; its primary impact is the circumvention of the user’s intent, which could facilitate phishing or credential theft.

Google Chrome versions older than 145.0.7632.45 are affected. The flaw resides in the browser’s handling of file‑input elements, so any operating system that hosts Chrome—Windows, macOS, Linux—is at risk when out‑of‑date versions are installed.

The vulnerability has a CVSS score of 6.5 and an EPSS score of less than 1 %, indicating a low likelihood of widespread exploitation at this time. The attack requires a social‑engineering scenario in which a user visits a malicious web page and performs simple UI gestures such as clicking a button. Based on the description, it is inferred that the attacker must rely on user interaction, and no high‑privilege or unconstrained remote code execution is possible. The vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation has not yet been observed.