Description
Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome’s Search component fails to enforce proper security policies, allowing a remote attacker to host a malicious HTML page that reads cross‑origin data from the victim’s browser context. The attacker can then exfiltrate that data to an external destination. Though the flaw presents a confidentiality risk, it does not grant code execution or privilege escalation, and the CVE tags the Chromium security severity as Low, indicating a modest threat level.

Affected Systems

All installations of Google Chrome that are running a build earlier than 148.0.7778.96 are impacted. The CVE statement does not limit the issue to any particular channel or operating system; therefore, all platforms that support the affected Chrome release are susceptible.

Risk and Exploitability

The concern is remote; the attacker must persuade the user to navigate to a crafted HTML page. No authentication or elevated privileges are required. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 4.3 reflects that the attacker can only read data the browser permits, yet the confidentiality risk for sensitive users remains real.

Generated by OpenCVE AI on May 7, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 148.0.7778.96 or later
  • Keep automatic updates enabled to receive future security patches
  • If an upgrade cannot be performed immediately, consider disabling the Search feature or restricting cross‑origin script execution through the browser’s configuration settings

Generated by OpenCVE AI on May 7, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 01:45:00 +0000

Type Values Removed Values Added
Title Insufficient Search Policy Enforces Cross‑Origin Data Leak in Chrome

Thu, 07 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome Search Policy Enforcement Allows Cross‑Origin Data Leakage
Weaknesses CWE-200
CWE-284

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Chrome Search Policy Enforcement Allows Cross‑Origin Data Leakage
Weaknesses CWE-200
CWE-284

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:53.219Z

Reserved: 2026-05-05T22:59:34.565Z

Link: CVE-2026-8011

cve-icon Vulnrichment

Updated: 2026-05-06T21:15:03.533Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:52.067

Modified: 2026-05-06T22:16:45.467

Link: CVE-2026-8011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:30:17Z

Weaknesses