Description
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A script injection flaw in the SanitizerAPI of Chrome for Android lets a remote attacker inject arbitrary scripts or HTML via a crafted web page. The vulnerability is classified as CWE‑79 and CWE‑94, both indicating user‑experience cross‑site scripting (UXSS) and code injection potential. It allows malicious JavaScript to run in the context of a trusted web site, potentially compromising data that the browser is allowed to access.

Affected Systems

All Android devices running Chrome before build 148.0.7778.168 are affected. Any Chrome installation that does not contain at least this build is vulnerable.

Risk and Exploitability

The flaw can be triggered remotely with no authentication, simply by serving a malicious page. The CVSS score of 5.4 indicates a medium impact, and the EPSS score is unavailable; the vulnerability is not listed in the CISA KEV catalog. Exploitation may use the injected scripts for phishing, credential theft, or installing malware on the device.

Generated by OpenCVE AI on May 15, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to build 148.0.7778.168 or newer on all Android devices
  • If an update is not immediately possible, disable JavaScript execution in Chrome or use content filtering to block injected scripts
  • Enable Chrome’s site isolation and strict origin enforcement to limit cross‑origin script execution until a patch is applied
  • As an additional precaution, consider switching to an alternative browser that does not use the vulnerable SanitizerAPI

Generated by OpenCVE AI on May 15, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6273-1 chromium security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Script injection in SanitizerAPI
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 15 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Script Injection in Chrome on Android Enabling Arbitrary Script Execution

Thu, 14 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Script Injection in Chrome on Android Enabling Arbitrary Script Execution

Thu, 14 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-94
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-14T21:29:58.440Z

Reserved: 2026-05-14T05:40:17.478Z

Link: CVE-2026-8539

cve-icon Vulnrichment

Updated: 2026-05-14T21:29:55.374Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:14.760

Modified: 2026-05-14T22:16:48.000

Link: CVE-2026-8539

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-14T19:52:22Z

Links: CVE-2026-8539 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T13:45:16Z

Weaknesses