Description
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: URL Bar Spoofing
Action: Apply patch
AI Analysis

Impact

An insufficient policy enforcement bug in Google Chrome’s browser UI allows an attacker who has already compromised the renderer process to forge the contents of the omnibox, the URL bar. By loading a specially crafted web page, the attacker can cause Chrome to display a deceptive URL that does not match the actual page being viewed. This manipulation can trick users into believing they are interacting with a trusted site, potentially leading to phishing and credential theft. The vulnerability is classified as medium severity.

Affected Systems

Versions of Google Chrome prior to 147.0.7727.55 are affected on all supported operating systems, including Windows, macOS, and Linux. The problem is tied to the renderer component, which runs on any platform that hosts the Chrome browser. Users on older releases running the default stable channel are at risk if they visit malicious sites that exploit the renderer.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while an EPSS of less than 1% suggests that exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been actively used in the wild. Exploitation requires a remote attack that first gains control of a renderer process, which typically means delivering a malicious website or taking advantage of another local compromise. Given these prerequisites, the likelihood of successful exploitation is low but non‑zero, and administrators should prioritize patching when possible.

Generated by OpenCVE AI on April 14, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or newer.
  • If your environment relies on older Chrome releases, plan an upgrade to the latest stable channel as soon as possible.
  • Verify the current Chrome version in the browser menu and confirm that automatic updates are enabled.
  • Consider disabling or restricting extensions that may load untrusted content.
  • Monitor Google Chrome release notes and security advisories for future patches.

Generated by OpenCVE AI on April 14, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-79

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome Omnibox Spoofing via Compromised Renderer chromium-browser: Incorrect security UI in browser UI
Weaknesses CWE-290
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome Omnibox Spoofing via Compromised Renderer
First Time appeared Google
Google chrome
Weaknesses CWE-200
CWE-79
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T18:19:11.231Z

Reserved: 2026-04-08T19:34:37.513Z

Link: CVE-2026-5880

cve-icon Vulnrichment

Updated: 2026-04-13T17:55:19.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:27.650

Modified: 2026-04-14T20:01:46.663

Link: CVE-2026-5880

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5880 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses