Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) enables a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. The flaw is classified under CWE-352 (Cross-Site Request Forgery), indicating the Extensions implementation incorrectly handles cross-origin request validation in a way that bypasses same-origin isolation boundaries. No public exploit has been identified at time of analysis, and an EPSS score of 0.03% (11th percentile) signals low current exploitation probability despite the High confidentiality impact rating.
Technical ContextAI
The vulnerability resides in Google Chrome's Extensions subsystem, where an inappropriate implementation introduces a CSRF-class flaw (CWE-352) that undermines cross-origin data isolation enforced by the browser's same-origin policy. Browser extensions frequently operate with elevated permissions and can interact with page content across multiple origins; when the extension subsystem improperly validates the origin of requests or fails to enforce adequate cross-origin checks, a crafted HTML page can exploit this to leak data from otherwise isolated contexts. The affected product is Google Chrome stable channel prior to version 149.0.7827.53 across all desktop platforms. The CVSS confidentiality impact of High (C:H) combined with zero integrity and availability impact (I:N/A:N) is consistent with a read-only data exfiltration primitive, not arbitrary code execution. The Chromium issue tracker reference (issues.chromium.org/issues/501541962) provides upstream detail, though it may be access-restricted pending broader patch adoption.
RemediationAI
The primary fix is to upgrade Google Chrome to version 149.0.7827.53 or later, which is the vendor-released patch per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome auto-updates by default; enterprise administrators should verify fleet-wide deployment and trigger forced updates for managed devices where auto-update is delayed or disabled via policy. As a compensating control where immediate patching is not feasible, restricting third-party Chrome Extension installation using the ExtensionInstallBlocklist or ExtensionInstallAllowlist enterprise policies reduces the extensions attack surface implicated in this flaw, though this does not remediate the underlying vulnerability and may disrupt user workflows dependent on extensions. Additionally, enforcing web filtering to block known malicious or unvetted domains reduces the likelihood of victims reaching attacker-hosted exploit pages that rely on the UI:R prerequisite.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34590
GHSA-m4xv-prr9-c93r