Description
Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome versions before 148.0.7778.96 contain a weakness where the WebApp component does not enforce its security policy strictly. This flaw enables a malicious web page to forge user interface elements, misleading users into interacting with fake controls or entering sensitive data. The attack does not give code execution privileges, but it can lead to social engineering and data theft by convincing users that they are interacting with legitimate Chrome UI. The likely attack vector is a user visiting a crafted webpage, and it is inferred that user interaction is required for exploitation.

Affected Systems

The affected product is Google Chrome. All desktop installations running any version prior to 148.0.7778.96 are vulnerable; the flaw was present in stable channel releases before that version. No other vendors or products are listed.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate risk level. The EPSS score is < 1% (approximately 0.06%), indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a user visiting a malicious webpage, and it is inferred that the attacker must lure a user into opening or interacting with a crafted HTML document in Chrome. The likelihood of exploitation is limited by the need for user interaction, but the impact could be significant if users provide sensitive information to the spoofed UI.

Generated by OpenCVE AI on May 9, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 148.0.7778.96 or later via the official update mechanism, which fixes the identified CWE-1021 and CWE-451 weaknesses.
  • Disable or restrict the WebApp feature for untrusted sites using policy settings or extensions to mitigate the UI spoofing risk highlighted by CWE-1021.
  • Provide user education on phishing and UI spoofing to reduce the chance of social engineering attacks.

Generated by OpenCVE AI on May 9, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6250-1 chromium security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Weak Policy Enforcement in Chrome WebApp chromium-browser: Insufficient policy enforcement in WebApp
Weaknesses CWE-1021
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 07 May 2026 03:30:00 +0000

Type Values Removed Values Added
Title UI Spoofing via Weak Policy Enforcement in Chrome WebApp

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title UI Spoofing via WebApp Policy Bypass in Google Chrome
Weaknesses CWE-602
CWE-610

Wed, 06 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title UI Spoofing via WebApp Policy Bypass in Google Chrome
First Time appeared Google
Google chrome
Weaknesses CWE-602
CWE-610
Vendors & Products Google
Google chrome

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-06T21:12:37.599Z

Reserved: 2026-05-05T22:59:36.558Z

Link: CVE-2026-8019

cve-icon Vulnrichment

Updated: 2026-05-06T20:54:02.970Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T19:16:52.863

Modified: 2026-05-07T15:26:05.523

Link: CVE-2026-8019

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-8019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses