Description
Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Download restriction bypass
Action: Apply Patch
AI Analysis

Impact

Insufficient validation of untrusted input within Chrome’s Downloads component on Windows allows a remote attacker to bypass download restrictions by serving a crafted HTML page. The flaw, identified as CWE‑20, can deliver files to a user without triggering the browser’s usual download warnings, potentially facilitating malware delivery or data exfiltration. The vulnerability does not enable arbitrary code execution but undermines user protection by allowing silent or privileged downloads.

Affected Systems

Google Chrome for Windows versions earlier than 147.0.7727.55 are affected.

Risk and Exploitability

No CVSS score is provided, but Chromium notes the issue as a medium‑severity problem. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to visit a malicious or compromised web page that serves the crafted HTML; once the user loads the page, the attacker can trigger downloads that bypass normal user confirmation. The risk remains until the update is applied.

Generated by OpenCVE AI on April 8, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.55 or later.

Generated by OpenCVE AI on April 8, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Insufficient Input Validation in Chrome Downloads Allows Bypass of Download Restrictions
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:51.857Z

Reserved: 2026-04-08T19:34:39.349Z

Link: CVE-2026-5887

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:28.553

Modified: 2026-04-08T22:16:28.553

Link: CVE-2026-5887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:39Z

Weaknesses