Description
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an inappropriate implementation in the Media component of Google Chrome that permits a remote attacker to craft an HTML page that performs UI spoofing. This flaw can mislead users into believing they are interacting with a legitimate interface when the page interface has been altered by the attacker. The official Chromium severity is low, suggesting no confirmed code execution or direct data theft, but the deception could facilitate credential phishing or other social‑engineering attacks.

Affected Systems

The issue affects all Google Chrome editions that run a version prior to 148.0.7778.96. Users of earlier stable channel releases are vulnerable; no other products or vendors are listed as affected.

Risk and Exploitability

A CVSS score of 5.4 indicates moderate risk and the EPSS score is unavailable, while the vulnerability is not listed in CISA’s KEV catalog, indicating that active exploitation has not been observed. The likely attack vector is a crafted HTML page served to the user, requiring the user to visit the page. Because the flaw only enables UI spoofing and does not grant code execution, the risk is moderate but could be amplified if combined with phishing techniques.

Generated by OpenCVE AI on May 7, 2026 at 00:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to 148.0.7778.96 or later.
  • Enable automatic updates in Chrome or configure your system to install updates as soon as they are available.
  • Use Chrome Safe Browsing or other web‑filtering solutions to reduce exposure to malicious web content until the update can be applied.

Generated by OpenCVE AI on May 7, 2026 at 00:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing via Inadequate Media Handling
Weaknesses CWE-79

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Chrome UI Spoofing via Inadequate Media Handling
Weaknesses CWE-79

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:46:15.542Z

Reserved: 2026-05-05T22:59:35.538Z

Link: CVE-2026-8015

cve-icon Vulnrichment

Updated: 2026-05-06T20:56:24.721Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T19:16:52.450

Modified: 2026-05-06T22:16:46.067

Link: CVE-2026-8015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:00:14Z

Weaknesses