A flaw in Google Chrome for iOS prior to version 148.0.7778.216 permits a remote attacker, through a crafted web page, to induce a user to perform specific UI gestures that trigger the injection of arbitrary scripts or HTML. The vulnerability is a form of user‑experience cross‑site scripting (UXSS). When executed, the injected code runs with the privileges of the browser context, enabling a malicious actor to steal user data, hijack the session, or potentially compromise the device if additional local exploits are available. The weakness is an inadequate sanitization of user actions that lead to unintended script execution and can be classified as CWE‑79.

Google Chrome for iOS releases below 148.0.7778.216 are affected. The issue originates in the iOS implementation of Chrome’s UI handling. Users running older Chrome on iPhone or iPad devices should verify their browser version and update to the latest release to avoid exploitation.

The vulnerability has a CVSS score of 5.4, classifying it as moderate severity, with an EPSS score of < 1% and it is not listed in the CISA KEV catalog. This indicates a low publicly known exploitation rate. Nonetheless, the attack requires user interaction with a crafted page and specific gestures; once the gesture is performed, the arbitrary code runs immediately. The low EPSS score suggests limited real‑world exploitation, but the moderate severity and direct impact on user data warrant prompt remediation.