Description
Incorrect security UI in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Spoofing via HTML
Action: Apply Patch
AI Analysis

Impact

An incorrect security UI element in Chrome’s Blink rendering engine allows an attacker to create a crafted webpage that mimics legitimate browser dialogs or security prompts. By presenting this forged interface to a user, the attacker can lure the victim into providing sensitive information or performing actions that they would normally avoid. This deception undermines the user’s trust in Chrome’s native UI, potentially leading to credential compromise or unauthorized actions.

Affected Systems

Google Chrome versions prior to 147.0.7727.55 are affected. The vulnerability is present in Blink and therefore impacts all platforms that ship this browser revision within the stable release channel.

Risk and Exploitability

The CVSS score is labeled as medium, indicating a moderate overall risk. EPSS score is not available, and the vulnerability is not included in the CISA KEV catalog. Exploitation requires a victim to visit or load a maliciously crafted webpage; the attack vector is therefore remote, relying on client‑side interaction via the browser. No user privilege escalation or code execution is granted, but the social engineering impact can be significant for end users.

Generated by OpenCVE AI on April 8, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later.
  • Verify the Chrome version by clicking the three‑dot menu, selecting Help, and choosing About Google Chrome.
  • If an automated update is not possible, download the latest stable installer from Google’s official website.
  • In the meantime, avoid opening suspicious links or untrusted webpages that request credentials.

Generated by OpenCVE AI on April 8, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Blink UI Spoofing via Crafted HTML chromium-browser: Incorrect security UI in Blink
Weaknesses CWE-1021
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Blink UI Spoofing via Crafted HTML
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:48.141Z

Reserved: 2026-04-08T19:34:37.087Z

Link: CVE-2026-5878

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:27.440

Modified: 2026-04-08T22:16:27.440

Link: CVE-2026-5878

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5878 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:47Z

Weaknesses