Description
Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Google Chrome for iOS contains an input validation flaw that allows an attacker who has already compromised the renderer process to craft an HTML page that bypasses the same origin policy. The vulnerability permits the attacker to read data from web pages of other origins, potentially leading to data exfiltration, cross‑origin scripting attacks, and related privacy violations. The flaw is classified as a CWE‑20 error and carries a high severity rating in Chromium’s internal scoring.

Affected Systems

Affected vendors and products: Google Chrome on iOS. Versions before 148.0.7778.216 are vulnerable. No other platform or version information is provided.

Risk and Exploitability

The vulnerability is significant but its exploitation requires the attacker to first compromise the renderer process. EPSS score is < 1%, indicating a very low exploitation probability, and the flaw is not listed in the CISA KEV catalog. Nevertheless, the high severity rating and the ability to bypass core browser security boundaries warrant prompt attention. Attackers could exploit the flaw by delivering a specially crafted site once they have gained entry to the renderer, enabling cross‑origin data access.

Generated by OpenCVE AI on May 29, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome on iOS to version 148.0.7778.216 or later.
  • Enable the browser’s automatic update feature or regularly check for new releases to maintain the latest security patches.
  • Avoid visiting untrusted or malicious websites until the update is applied, or disable third‑party extensions that might load unsafe content.

Generated by OpenCVE AI on May 29, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Untrusted Input in Chrome on iOS

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Same Origin Policy Bypass via Untrusted Input in Chrome on iOS

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-20
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:29:26.983Z

Reserved: 2026-05-28T17:24:58.388Z

Link: CVE-2026-9950

cve-icon Vulnrichment

Updated: 2026-05-29T16:29:23.653Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:53.150

Modified: 2026-05-29T18:17:16.357

Link: CVE-2026-9950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:15:06Z

Weaknesses