Description
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI spoofing via crafted Web page on Chrome for iOS
Action: Patch Immediately
AI Analysis

Impact

A flaw in the security UI of the Omnibox component of Google Chrome for iOS before build 147.0.7727.55 permits a remote attacker to create a crafted HTML page that causes the browser to display misleading UI elements. This can lead to phishing or credential theft because users may trust the altered UI and interact with malicious links or input data. The weakness is a form of UI spoofing, categorized as CWE‑451, and carries a CVSS score of 4.3, indicating low severity but non‑negligible potential harm.

Affected Systems

The vulnerability affects Google Chrome running on iOS devices. Any installation of Chrome on iOS that has a build number earlier than 147.0.7727.55 is susceptible. The product is only impacted in the iOS environment; other operating systems listed in the CPE list—macOS, Linux kernel, Windows—are not directly affected by this specific issue.

Risk and Exploitability

The CVSS score of 4.3 and an EPSS score below 1% suggest that exploitation is unlikely and the attack surface is limited to users who visit a malicious web page in Chrome for iOS. The vulnerability is not part of the CISA KEV catalog, reinforcing its low to moderate risk profile. The attacker would need to host a crafted HTML page and entice a user to load it in Chrome on iOS; no additional credentials or system privileges are required for the attack.

Generated by OpenCVE AI on April 13, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 147.0.7727.55 or later on iOS and verify that the build number matches the latest release
  • If a browser update is unavailable, consider disabling the Omnibox’s automatic suggestion feature or using an alternative browser until a patch is applied
  • Monitor official Chrome release notes and security advisories for further updates or additional mitigation guidance

Generated by OpenCVE AI on April 13, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6205-1 chromium security update
History

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-795

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome iOS Omnibox UI Spoofing Vulnerability chromium-browser: Incorrect security UI in Omnibox
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Low

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Chrome iOS Omnibox UI Spoofing Vulnerability
First Time appeared Google
Google chrome
Weaknesses CWE-200
CWE-795
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-13T18:17:54.556Z

Reserved: 2026-04-08T19:34:42.491Z

Link: CVE-2026-5898

cve-icon Vulnrichment

Updated: 2026-04-13T18:01:00.521Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:29.690

Modified: 2026-04-13T21:17:07.427

Link: CVE-2026-5898

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5898 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:31Z

Weaknesses