This vulnerability allows a remote attacker to craft an HTML page that triggers a WebAppInstall dialog in Google Chrome. The dialog’s security UI is incorrectly displayed, enabling the attacker to spoof the interface and potentially trick users into installing malicious or deceptive web applications. The weakness is identified as CWE-451, a failure to enforce proper security checks. The impact is primarily to user trust and the integrity of the installation process, with possible downstream compromise if a malicious web app is installed.

Google Chrome versions earlier than 146.0.7680.71 are affected. The flaw exists across all platforms where Chrome runs, including Windows, macOS, and Linux. The reach is therefore broad, covering any desktop installation that does not receive the recent patch.

The CVSS score for this flaw is 4.3, indicating a medium severity. Exploitation probability is low, with an EPSS score of less than 1%. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by hosting a crafted HTML page; any user who visits the page and initiates a WebAppInstall can be deceived by the spoofed UI. Due to the low EPSS, widespread exploitation is unlikely, but the user deception potential remains a concern for phishing or malicious web application distribution.