CVE-2026-3063 - Vulnerability Details

- chromium-browser: Inappropriate implementation in DevTools

Description

Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)

Published: 2026-02-23

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper implementation in Google Chrome’s DevTools allows a malicious extension, once installed by a user, to inject scripts or HTML into privileged pages. This facilitates the execution of arbitrary code with the elevated privileges of the browser, essentially enabling a high‑impact cross‑site scripting attack on the user’s own browser context.

Affected Systems

The issue affects users of Google Chrome browsers before version 145.0.7632.116 on Windows, macOS, and Linux operating systems.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8 and an EPSS score below 1 %, indicating high severity but low likelihood of exploitation. It is not currently listed in the CISA KEV catalog. The most probable attack vector involves social engineering to persuade a user to install a malicious extension that gains access to DevTools and exploits the privilege escalation flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`145.0.7632.116`	affected	< 145.0.7632.116

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[145.0.7632.116,145.0.7632.116)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 145.0.7632.116 or later.
Remove any installed extensions that request broad host permissions or were obtained from untrusted sources.
Review extension permissions on Chrome’s Extensions page and disable extensions that interact with DevTools or privileged pages.

Generated by OpenCVE AI on April 17, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6151-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html
https://issues.chromium.org/issues/485287859
https://nvd.nist.gov/vuln/detail/CVE-2026-3063
https://www.cve.org/CVERecord?id=CVE-2026-3063

History

Fri, 17 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-264 CWE-79

Thu, 26 Feb 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Wed, 25 Feb 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

Tue, 24 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Inappropriate implementation in DevTools
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3063 https://www.cve.org/CVERecord?id=CVE-2026-3063
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Mon, 23 Feb 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)
References		https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html https://issues.chromium.org/issues/485287859

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-02-23T22:17:19.953Z

Updated: 2026-02-26T14:44:10.495Z

Reserved: 2026-02-23T18:41:53.917Z

Link: CVE-2026-3063

Vulnrichment

Updated: 2026-02-25T17:08:11.143Z

NVD

Status : Modified

Published: 2026-02-23T23:16:16.107

Modified: 2026-02-25T18:23:42.363

Link: CVE-2026-3063

Redhat

Severity : Important

Publid Date: 2026-02-23T00:00:00Z

Links: CVE-2026-3063 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object