Description
Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an insufficient enforcement of security policy within the Search component of the Chrome browser. A remote attacker can craft a malicious HTML page that, when opened by a victim, allows the attacker to read data from cross‑origin sources that are otherwise protected by the browser’s same‑origin policy. This data can then be exfiltrated to an external site, creating a confidentiality breach. The vulnerability does not provide code execution, privilege escalation, or denial of service capabilities.

Affected Systems

Any installation of Google Chrome built before version 148.0.7778.96 is affected. The issue is not limited to a specific channel or operating system, so all platforms that support the vulnerable Chrome release are at risk.

Risk and Exploitability

Exploitation requires a user to open a crafted page, so it is a remote, user‑interaction vulnerability. No additional authentication or elevated privileges are needed. The EPSS score of < 1% indicates an extremely low likelihood of exploitation, and the CVSS score of 4.3 confirms a modest severity. The flaw is not listed in CISA’s KEV catalog, and the only impact is potential cross‑origin data leakage.

Generated by OpenCVE AI on May 9, 2026 at 04:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.96 or newer
  • Enable automatic updates to receive future security patches
  • If an upgrade cannot be performed immediately, consider disabling the Search feature or filtering cross‑origin script execution through the browser’s configuration settings

Generated by OpenCVE AI on May 9, 2026 at 04:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Insufficient Search Policy Enforces Cross‑Origin Data Leak in Chrome chromium-browser: Insufficient policy enforcement in Search
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Search Policy Enforces Cross‑Origin Data Leak in Chrome

Thu, 07 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome Search Policy Enforcement Allows Cross‑Origin Data Leakage
Weaknesses CWE-200
CWE-284

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Chrome Search Policy Enforcement Allows Cross‑Origin Data Leakage
Weaknesses CWE-200
CWE-284

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:53.219Z

Reserved: 2026-05-05T22:59:34.565Z

Link: CVE-2026-8011

cve-icon Vulnrichment

Updated: 2026-05-06T21:15:03.533Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:52.067

Modified: 2026-05-07T15:16:58.667

Link: CVE-2026-8011

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-8011 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:45:26Z

Weaknesses