CVE-2026-8527 - Vulnerability Details

- chromium-browser: chromium-browser: Insufficient validation of untrusted input in Downloads

Description

Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Published: 2026-05-14

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An insufficient validation of untrusted input in the Downloads component of Google Chrome was discovered, enabling a remote attacker to execute arbitrary code through a specially crafted HTML page. The flaw can be classified as CWE-20 and CWE-79, where input is not properly checked before it is processed. The direct consequence for an affected user is the potential compromise of the entire system, allowing an attacker to run malicious code with the privileges of the browser process.

Affected Systems

Google Chrome browsers older than version 148.0.7778.168 are affected. The vulnerability exists in the Downloads feature across all platforms supported by the Chrome stable channel.

Risk and Exploitability

At the time of analysis EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no widely known exploitation at this moment. Nevertheless, because the flaw permits remote code execution via a crafted web page, it presents a high severity risk to any system that manually opens or automatically loads such content. A CVSS score of 8.8 further highlights the severity. An attacker can embed malicious code in a page served from any domain, and the attack vector is the user’s interaction with that page—typical of web‑based exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`148.0.7778.168`	affected	< 148.0.7778.168

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[148.0.7778.168,148.0.7778.168)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome to version 148.0.7778.168 or newer, which includes the input‑validation fix for the Downloads component.
If an immediate upgrade is not possible, configure Chrome to require user confirmation before downloading files and use an additional antivirus scan or sandboxed environment before opening any downloaded content.
Ensure that Chrome’s sandboxing features and safe browsing policies are enabled, and consider applying enterprise policies to enforce strict download restrictions and automatic file verification.

Generated by OpenCVE AI on May 15, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6273-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html
https://issues.chromium.org/issues/486761172
https://nvd.nist.gov/vuln/detail/CVE-2026-8527
https://www.cve.org/CVERecord?id=CVE-2026-8527

History

Fri, 15 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		chromium-browser: chromium-browser: Insufficient validation of untrusted input in Downloads
Weaknesses		CWE-79
References		https://nvd.nist.gov/vuln/detail/CVE-2026-8527 https://www.cve.org/CVERecord?id=CVE-2026-8527
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 15 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Insufficient Validation in Chrome Downloads Allows Arbitrary Code Execution

Thu, 14 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Insufficient Validation in Chrome Downloads Allows Arbitrary Code Execution
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-20
References		https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html https://issues.chromium.org/issues/486761172

Subscriptions

Google Chrome

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-05-14T19:52:17.971Z

Updated: 2026-05-15T03:57:32.649Z

Reserved: 2026-05-14T05:40:14.638Z

Link: CVE-2026-8527

Vulnrichment

Updated: 2026-05-14T21:44:38.268Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:13.507

Modified: 2026-05-14T22:16:46.997

Link: CVE-2026-8527

Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:17Z

Links: CVE-2026-8527 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object