CVE-2026-5919 - Vulnerability Details

- chromium-browser: Insufficient validation of untrusted input in WebSockets

Description

Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)

Published: 2026-04-08

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Insufficient validation of untrusted input in WebSockets allows a remote attacker who has compromised the renderer process to bypass the same‑origin policy via a crafted HTML page. The attacker can read, modify, or delete data from contexts belonging to other origins, potentially compromising the confidentiality and integrity of user data accessed by the browser. This flaw is a classic input‑validation issue (CWE‑20) combined with an improper origin check (CWE‑346).

Affected Systems

The affected product is Google Chrome. All installations of Chrome running versions prior to 147.0.7727.55 are vulnerable, regardless of operating system. The vulnerability impacts any platform where Chrome is available, including macOS, Linux, and Windows.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, yet the EPSS score of less than 1 % suggests the likelihood of exploitation is presently low. This issue is not listed in the CISA KEV catalog. Exploitation requires a compromised renderer process and the delivery of a specially crafted page, meaning the attack vector is web‑based and dependent on user interaction. The resulting impact is primarily unauthorized access to data from other origins.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`147.0.7727.55`	affected	< 147.0.7727.55

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[0,147.0.7727.55)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Chrome to version 147.0.7727.55 or later

Generated by OpenCVE AI on April 13, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6205-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/483423893
https://nvd.nist.gov/vuln/detail/CVE-2026-5919
https://www.cve.org/CVERecord?id=CVE-2026-5919

History

Mon, 13 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: Insufficient validation of untrusted input in WebSockets
Weaknesses		CWE-346
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5919 https://www.cve.org/CVERecord?id=CVE-2026-5919
Metrics	threat_severity `None`	threat_severity `Low`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title	Remote WebSocket Origin Policy Bypass via Renderer Compromise in Chrome

Thu, 09 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title		Remote WebSocket Origin Policy Bypass via Renderer Compromise in Chrome
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/483423893

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-04-08T21:21:07.618Z

Updated: 2026-04-29T15:15:03.132Z

Reserved: 2026-04-08T20:10:22.501Z

Link: CVE-2026-5919

Vulnrichment

Updated: 2026-04-09T14:21:19.379Z

NVD

Status : Modified

Published: 2026-04-08T22:16:31.667

Modified: 2026-04-29T16:16:28.083

Link: CVE-2026-5919

Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-5919 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:37:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object