Description
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-15
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: Remote cross‑origin data leakage
Action: Immediate patch
AI Analysis

Impact

This vulnerability allows a remote attacker who has already compromised the Chrome renderer process to read cross‑origin data through a crafted HTML page. The failure is due to insufficient enforcement of the CORS policy, meaning the browser fails to block or properly restrict such cross‑origin requests. Consequently the attacker can gain confidential information from other origins, resulting in an information disclosure. The flaw is listed with Chromium security severity “High”.

Affected Systems

Google Chrome versions released before 147.0.7727.101 are vulnerable. The issue appears on the stable channel of Chrome. All users running a version earlier than 147.0.7727.101 are affected until the patch for the stable channel is deployed.

Risk and Exploitability

The CVE record has a CVSS score of 3.1, and it is not listed in the CISA KEV catalog. The vulnerability requires that the attacker first succeed in compromising the Chrome renderer process, which is non‑trivial and limits the likelihood of exploitation in a public setting. However, given the high Chromium security severity and the ease with which the renderer process could be exploited by other flaws, the risk should be considered significant until the issue is fixed.

Generated by OpenCVE AI on April 16, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 147.0.7727.101 or later on all affected machines.
  • Ensure Chrome automatic updates are enabled or proactively check for updates to apply future patches.
  • Enable Chrome’s Site Isolation feature (set the policy SiteIsolationEnabled to true) to further harden renderer process boundaries and reduce potential data leakage.

Generated by OpenCVE AI on April 16, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title CORS Policy Bypass Allows Cross‑Origin Data Leak in Chrome

Wed, 15 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-15T20:00:40.125Z

Reserved: 2026-04-14T18:12:25.939Z

Link: CVE-2026-6313

cve-icon Vulnrichment

Updated: 2026-04-15T20:00:35.271Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:41.093

Modified: 2026-04-15T20:16:41.093

Link: CVE-2026-6313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses