Description
Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in Google Chrome on iOS allows a remote attacker to manipulate UI elements through a crafted web page, enabling social engineering attacks that may trick users into entering sensitive information or delegating unintended actions. This vulnerability is identified as an input validation flaw (CWE‑20).

Affected Systems

Affected are users who run Google Chrome on iOS prior to version 148.0.7778.96. The issue is limited to the iOS build of the browser and does not affect desktop or Android releases.

Risk and Exploitability

The CVSS score of 5.4 signals a Medium severity risk. There is no EPSS score available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by luring a victim into visiting a maliciously crafted page; no local privilege escalation or kernel compromise is required, but the potential for credential phishing or deceptive interactions exists.

Generated by OpenCVE AI on May 7, 2026 at 01:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome on iOS (148.0.7778.96 or newer).
  • Avoid clicking unknown or suspicious links that could display malicious HTML.
  • Keep iOS and Chrome updated to receive future security fixes.

Generated by OpenCVE AI on May 7, 2026 at 01:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 01:30:00 +0000

Type Values Removed Values Added
Title Insufficient Validation of Untrusted Input Allows UI Spoofing in Chrome on iOS

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Insufficient Validation of Untrusted Input Allows UI Spoofing in Chrome on iOS

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Apple Iphone Os
Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:59:39.527Z

Reserved: 2026-05-05T22:59:12.878Z

Link: CVE-2026-7931

cve-icon Vulnrichment

Updated: 2026-05-06T20:48:26.724Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:41.443

Modified: 2026-05-06T23:36:43.060

Link: CVE-2026-7931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:15:17Z

Weaknesses