Description
Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the Preload feature of Google Chrome allowed a remote attacker to leak cross‑origin data via a crafted HTML page. The vulnerability can expose sensitive content from other origins, leading to a confidentiality breach. The Chromium security team rated the issue as low severity, but the potential data exposure remains significant for users visiting maliciously crafted sites.

Affected Systems

Google Chrome is affected, specifically any installation prior to version 148.0.7778.96. Users running these older Chrome releases are susceptible to the data leakage flaw.

Risk and Exploitability

The EPSS score is not available and it is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. The likely attack vector is remote, stemming from a maliciously crafted web page that the victim loads. An attacker can exploit the bug by tricking a user’s browser into loading a specially designed page that triggers the Preload mechanism, thereby leaking data from a different origin. While the severity rating is low, the confidentiality impact is real and remediation is advised.

Generated by OpenCVE AI on May 7, 2026 at 03:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 148.0.7778.96 or later, ensuring that the Preload bug is fixed
  • Enable automatic updates in Chrome to receive future security patches promptly
  • If you operate an environment that prohibits exposure of cross‑origin data, consider disabling the Preload feature via policy or configuration tools until a patch is available

Generated by OpenCVE AI on May 7, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Title Chrome Preload Feature Causing Cross‑Origin Data Leakage

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross‑origin Data Leakage via Preload Feature in Google Chrome
Weaknesses CWE-200

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Cross‑origin Data Leakage via Preload Feature in Google Chrome
Weaknesses CWE-200

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:24.955Z

Reserved: 2026-05-05T22:59:35.273Z

Link: CVE-2026-8014

cve-icon Vulnrichment

Updated: 2026-05-06T20:58:16.590Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:52.353

Modified: 2026-05-06T22:16:45.913

Link: CVE-2026-8014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T03:15:20Z

Weaknesses