CVE-2026-5905 - Vulnerability Details

- chromium-browser: Incorrect security UI in Permissions

Description

Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)

Published: 2026-04-08

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in Chrome’s permission UI misrepresents the origin domain shown to users, allowing a crafted web page to display an unrelated domain name. This can deceive users into granting permissions or engaging with malicious content under the guise of a trusted site, resulting in phishing or credential theft. The vulnerability is recognized by CWE-1021 and CWE-451, indicating incorrect permission handling and UI misrepresentation.

Affected Systems

Affected users are on Microsoft Windows running any Chrome build before version 147.0.7727.55. The CVE applies to the stable channel of Google Chrome and does not affect other operating systems or Chrome releases beyond the specified version.

Risk and Exploitability

The CVSS v3.1 score of 6.5 classifies it as medium severity. The EPSS score is below 1 percent, suggesting a low probability of exploitation at present. It is not listed in the CISA KEV catalog. A remote attacker can exploit the flaw by hosting a malicious HTML page; the attack requires the victim to visit the page and rely on the incorrect UI display to perform domain spoofing. Users should anticipate potential phishing attempts until the vulnerability is patched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.55`	affected	< 147.0.7727.55

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[147.0.7727.55,147.0.7727.55)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Chrome 147.0.7727.55 or newer
Verify the update by checking Chrome’s About page
Keep Chrome updated and monitor official release notes for security fixes

Generated by OpenCVE AI on April 14, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6205-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/483899628
https://nvd.nist.gov/vuln/detail/CVE-2026-5905
https://www.cve.org/CVERecord?id=CVE-2026-5905

History

Tue, 14 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Microsoft Microsoft windows

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Incorrect security UI in Permissions
Weaknesses		CWE-1021
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5905 https://www.cve.org/CVERecord?id=CVE-2026-5905
Metrics	threat_severity `None`	threat_severity `Low`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title	Domain Spoofing via Incorrect Permission UI in Google Chrome on Windows
Weaknesses	CWE-613

Thu, 09 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title		Domain Spoofing via Incorrect Permission UI in Google Chrome on Windows
First Time appeared		Google Google chrome
Weaknesses		CWE-613
Vendors & Products		Google Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/483899628

Subscriptions

Google Chrome

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-08T21:21:01.314Z

Updated: 2026-04-09T15:55:38.852Z

Reserved: 2026-04-08T19:34:44.127Z

Link: CVE-2026-5905

Vulnrichment

Updated: 2026-04-09T15:51:02.102Z

NVD

Status : Analyzed

Published: 2026-04-08T22:16:30.397

Modified: 2026-04-14T14:51:30.833

Link: CVE-2026-5905

Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5905 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:41:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object