Description
Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from an incorrect iOS implementation in Google Chrome before version 148.0.7778.216. A crafted HTML page can bypass the browser’s same‑origin policy, allowing a remote attacker to read data from other origins that the user has visited. This leaks confidential information that should be protected, representing an information exposure consistent with CWE‑200.

Affected Systems

Google Chrome for iOS versions older than 148.0.7778.216 on all iOS devices is impacted. No other browsers or vendors are listed as affected.

Risk and Exploitability

Chromium assigns a CVSS score of 4.3, but the description rates the issue as high severity, reflecting the potential for significant information exposure. The EPSS score is less than 1%, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a hostile web page that a user opens, enabling the attacker to read protected data from other origins. Until the browser is updated, the risk of data disclosure remains active.

Generated by OpenCVE AI on May 29, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome for iOS to version 148.0.7778.216 or newer.
  • Keep the iOS operating system updated to the latest security releases to strengthen platform controls.
  • Avoid visiting suspicious sites or opening untrusted content until the browser update is applied.

Generated by OpenCVE AI on May 29, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Crafted HTML Page in Google Chrome for iOS

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cross‑Origin Data Leak via Crafted HTML Page in Google Chrome for iOS
Weaknesses CWE-200

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-05-29T16:30:45.597Z

Reserved: 2026-05-28T17:24:59.552Z

Link: CVE-2026-9955

cve-icon Vulnrichment

Updated: 2026-05-29T16:30:42.628Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T23:16:53.703

Modified: 2026-05-29T18:17:16.680

Link: CVE-2026-9955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:15:07Z

Weaknesses