Description
Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-05-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of untrusted input in the Input component of Google Chrome allows a remote attacker who has already compromised the renderer process to deliver a crafted HTML page. The flaw is capable of reading data from origins that the page should not normally be able to access, which can expose confidential information. The weakness is summarized by CWE‑20 (Improper Input Validation).

Affected Systems

Google Chrome versions earlier than 148.0.7778.179 are affected. The vulnerability exists in the stable channel of Chrome and applies to all operating systems that run the renderer process, since the affected component is part of the browser engine.

Risk and Exploitability

The CVSS score of 5.3 points to medium severity. Exploitation requires the attacker to first achieve compromise or foothold in the renderer process, which may require a separate vulnerability or privileged access. The EPSS score is not available and the flaw is not in CISA KEV, suggesting that widespread public exploitation is uncertain. Nevertheless, the attack vector remains possible for adversaries who can initially breach the renderer process.

Generated by OpenCVE AI on May 20, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to 148.0.7778.179 or later
  • Ensure that the renderer process is sand‑boxed and its privileges are minimized
  • Monitor Chrome for unexpected rendering‑process activity and keep all Chrome components up to date

Generated by OpenCVE AI on May 20, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Cross‑origin data leakage via crafted HTML page in Chrome
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 20 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-20T19:31:27.296Z

Reserved: 2026-05-20T17:39:25.650Z

Link: CVE-2026-9124

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:45.360

Modified: 2026-05-20T20:16:45.360

Link: CVE-2026-9124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T22:00:08Z

Weaknesses