Google Chrome browsers before 148.0.7778.96 suffer from a script injection flaw that allows a remote attacker, through a crafted HTML page, to inject arbitrary scripts or HTML into the UI. This flaw, identified as a form of UXSS, can lead to malicious code execution within the context of the page or the user's interaction, potentially enabling phishing, data theft, or other browser-based attacks. The weakness corresponds to CWE‑94, describing improper neutralization of input during web page generation.

All desktop installations of Google Chrome running any version earlier than 148.0.7778.96 are vulnerable. The flaw applies to standard Chrome builds for Windows, macOS, Linux, and other supported desktop platforms. The product is the standard Google Chrome browser used via the stable channel.

The issue has a low severity rating from Chromium’s internal evaluation. Exploitation requires the victim to load a maliciously crafted page and perform specific UI gestures to activate the injection; the attacker must obtain the user’s attention and willingness to interact. Chromiums CVSS score of 4.2 underscores the low severity classification for this vulnerability. Because the vulnerability is not listed in the CISA KEV catalog and the EPSS score is not available, the likelihood of widespread exploitation is currently unclear, but the exposed capability could be leveraged in targeted social‑engineering attacks. Users with unpatched Chrome versions are therefore at risk, particularly those who frequently visit unfamiliar sites or handle untrusted media.