Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Downloads in Google Chrome on Mac prior to 149.0.7827.53 allowed a local attacker to potentially perform a sandbox escape via a crafted AppleScript command. (Chromium security severity: Medium)
AnalysisAI
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a local attacker to break out of the browser sandbox via a crafted AppleScript command targeting the Downloads component. The flaw stems from insufficient input validation (CWE-20) and is rated CVSS 8.6 due to scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (4th percentile).
Technical ContextAI
The vulnerability resides in Chrome's Downloads subsystem on macOS, where the browser interacts with the operating system's AppleScript automation framework. AppleScript is Apple's inter-process scripting language used to drive applications via Apple Events; Chrome on Mac exposes scriptable handles that must rigorously validate any externally-influenced parameters. The root cause is classified as CWE-20 (Improper Input Validation), meaning Chrome accepted AppleScript-supplied data without enforcing the constraints required to keep operations inside the renderer/browser sandbox. Because the CVSS scope is Changed (S:C), a successful exploit crosses the sandbox boundary and impacts resources controlled by a different security authority - i.e., the host macOS user context outside Chrome's sandbox.
RemediationAI
Vendor-released patch: upgrade Google Chrome on macOS to 149.0.7827.53 or later via the Stable channel update referenced at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html; in managed environments, push the update through MDM (Jamf, Intune for Mac, Kandji) and verify version compliance. As a compensating control until patching completes, restrict AppleScript automation targeting Chrome by using macOS Privacy & Security 'Automation' permissions to deny non-essential apps the ability to send Apple Events to Google Chrome - this blocks the local delivery path but will also break any legitimate workflow that drives Chrome via AppleScript or osascript. Additionally, limit users' ability to execute untrusted .scpt or .applescript files from email or downloads via Gatekeeper and endpoint controls; the trade-off is added friction for power users and admins who rely on macOS automation.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34619
GHSA-g859-48pm-cxfc