Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome on iOS (prior to 149.0.7827.53) allows an unauthenticated remote attacker to present a deceptive interface to users by serving a crafted HTML page, specifically targeting the Signin flow. The root cause is an inappropriate implementation classified under CWE-20 (Improper Input Validation), meaning Chrome fails to sufficiently validate or constrain inputs that influence the rendered signin UI. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.05% (15th percentile) indicates very low near-term exploitation probability, consistent with the Low Chromium severity rating.
Technical ContextAI
The vulnerability resides in the Signin component of Google Chrome on iOS, distinct from the desktop Chromium codebase, implying platform-specific rendering or input-handling behavior on Apple's WebKit/iOS environment. CWE-20 (Improper Input Validation) as the root cause class indicates that attacker-controlled input - delivered via a crafted HTML page - is not adequately sanitized or constrained before influencing the signin UI rendering logic. This category of flaw frequently manifests as address bar spoofing, tab UI manipulation, or overlay abuse in mobile browsers, where OS-level constraints and browser chrome boundaries differ from desktop. The affected CPE scope is Google Chrome on iOS versions prior to 149.0.7827.53, as confirmed by the EUVD entry EUVD-2026-34741.
RemediationAI
Update Google Chrome on iOS to version 149.0.7827.53 or later, available through the Apple App Store. This is the vendor-released patch confirmed by the stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. No workarounds are documented for this specific flaw. As an interim measure for high-security environments, users can be instructed to manually verify the URL and certificate in the address bar before entering credentials on any signin page encountered while browsing, since this mitigates the practical impact of UI spoofing without requiring an immediate update. Enabling automatic app updates on iOS devices will ensure Chrome is kept current without manual intervention.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34741
GHSA-hgx4-2wp8-x7xc