Description
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: UI Spoofing
Action: Immediate Patch
AI Analysis

Impact

An incorrect security UI in Chrome’s Omnibox on iOS allows a remote attacker to display a spoofed URL through a specially crafted domain name. The rendering flaw enables the browser to present altered address information without redirecting the user, enabling deceptive phishing attempts. The weakness involves a UI rendering inconsistency that permits domain manipulation. Google rates this issue as low severity.

Affected Systems

Chrome for iOS versions earlier than 147.0.7727.55 are affected. Users running any build before this release remain vulnerable until they upgrade the browser to a newer version that includes the UI fix.

Risk and Exploitability

No CVSS score is published and the EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remote attacker to entice a user into visiting a maliciously crafted domain; if the user enters that domain in the address bar, the browser will display the spoofed URL. The impact is limited to user deception and does not provide code execution or direct access to the device. Based on the available information, the risk level is moderate; widespread exploitation has not been reported.

Generated by OpenCVE AI on April 8, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome for iOS to version 147.0.7727.55 or later
  • Verify that the device is running the latest Chrome update
  • Stay informed of further security advisories from Google regarding Chrome for iOS

Generated by OpenCVE AI on April 8, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Google Chrome iOS Omnibox URL Spoofing Vulnerability
First Time appeared Google
Google chrome
Weaknesses CWE-1005
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:20:57.110Z

Reserved: 2026-04-08T19:34:41.346Z

Link: CVE-2026-5895

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:29.397

Modified: 2026-04-08T22:16:29.397

Link: CVE-2026-5895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:23Z

Weaknesses