Description
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Phishing through Omnibox spoofing
Action: Patch Browser
AI Analysis

Impact

The vulnerability stems from incorrect security UI in the Omnibox of Google Chrome on iOS. Before version 147.0.7727.55, Chrome failed to properly display security indicators when a crafted domain name was entered, enabling attackers to make the Omnibox appear trustworthy. An adversary could therefore spoof URLs and create convincing phishing experiences, potentially leading users to divulge sensitive information. This weakness aligns with CWE‑451, which concerns prohibited functionality exploitation.

Affected Systems

The flaw affected Google Chrome running on iOS devices, specifically versions earlier than 147.0.7727.55. Users of Chrome on other platforms, such as Android, Windows, macOS, or Linux, are not impacted by this particular issue.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk, and the EPSS is under 1%, suggesting a low likelihood of exploitation. The vulnerability was not listed in the CISA KEV catalog, and the only known vector is a remote attacker targeting iOS Chrome via a crafted domain name. Because the flaw relies on user interaction with a fabricated URL, the attacker must successfully entice a user to visit the malicious domain. Despite this, the limited impact on confidentiality and integrity means the overall threat level remains low. Updating to a patched release mitigates the risk entirely.

Generated by OpenCVE AI on April 13, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on iOS to version 147.0.7727.55 or later
  • Verify that the Omnibox displays correct security indicators for unfamiliar sites
  • Monitor Chrome release notes for any future security updates

Generated by OpenCVE AI on April 13, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1005

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Google Chrome iOS Omnibox URL Spoofing Vulnerability chromium-browser: Incorrect security UI in Omnibox
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Low

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Google Chrome iOS Omnibox URL Spoofing Vulnerability
First Time appeared Google
Google chrome
Weaknesses CWE-1005
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T20:10:25.808Z

Reserved: 2026-04-08T19:34:41.346Z

Link: CVE-2026-5895

cve-icon Vulnrichment

Updated: 2026-04-13T20:10:18.640Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:29.397

Modified: 2026-04-13T21:18:01.867

Link: CVE-2026-5895

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5895 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:34Z

Weaknesses