Description
Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass download restrictions leading to potential execution of malicious files
Action: Patch
AI Analysis

Impact

The vulnerability is a failure to validate untrusted input in the Downloads component of Google Chrome. An attacker can craft an HTML page that causes Chrome to ignore standard download restrictions, allowing a file to be downloaded silently or with reduced warnings. If the user opens the page, the browser may download a malicious file and enable its execution, compromising the integrity of the system and potentially exposing sensitive data. The weakness corresponds to CWE‑1289 and CWE‑20.

Affected Systems

The flaw affects Google Chrome versions prior to 147.0.7727.55 on Windows. Users running older Chrome installations on Windows are vulnerable. The CVE lists additional operating systems (macOS, Linux, Windows) but the vendor’s advisory confirms impact only for Chrome on Windows. No other Chrome or platform versions are currently confirmed to be affected.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, while the EPSS score of less than 1 % denotes a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to lure a user to a malicious HTML page to activate the download bypass, so the threat is moderate but warrants attention, especially for users handling downloads from untrusted sources.

Generated by OpenCVE AI on April 13, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or newer
  • Verify that the update has been applied by checking the browser’s About page
  • Configure Chrome to apply automatic updates whenever available
  • If an update cannot be installed immediately, limit automatic downloads or enforce stricter download warnings in settings

Generated by OpenCVE AI on April 13, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Downloads Allows Bypass of Download Restrictions chromium-browser: Insufficient validation of untrusted input in Downloads
Weaknesses CWE-1289
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Downloads Allows Bypass of Download Restrictions
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T18:18:28.533Z

Reserved: 2026-04-08T19:34:39.349Z

Link: CVE-2026-5887

cve-icon Vulnrichment

Updated: 2026-04-13T17:58:42.767Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:28.553

Modified: 2026-04-13T21:17:32.733

Link: CVE-2026-5887

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5887 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:41Z

Weaknesses