Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
Content Security Policy bypass in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.53) enables unauthenticated remote attackers to circumvent CSP directives by delivering a crafted HTML page that requires only a user visit to trigger. The impact is confined to low-severity integrity violations (CVSS I:L) with no confidentiality or availability consequences, consistent with Chromium's own Low severity rating. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) reflects negligible near-term exploitation probability.
Technical ContextAI
Blink is the HTML rendering engine embedded in all Chromium-based browsers, responsible for parsing web content and enforcing browser security primitives including Content Security Policy. CSP is a declarative security mechanism that instructs the browser to restrict which resources (scripts, styles, frames, etc.) a page may load or execute, serving as a key mitigation against cross-site scripting and data injection. CWE-693 (Protection Mechanism Failure) identifies the root cause as a failure to correctly enforce an existing security control rather than an absence of one - the CSP logic is present in Blink but can be bypassed through insufficient enforcement in a specific code path. The affected component is the Blink engine within Google Chrome versions prior to 149.0.7827.53, as confirmed by EUVD affected version data. The Chromium issue tracker entry at https://issues.chromium.org/issues/502358901 is the upstream tracking reference, though the technical specifics of the enforcement gap are not detailed in available public data.
RemediationAI
Upgrade Google Chrome to version 149.0.7827.53 or later, as confirmed by the vendor's stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's automatic update mechanism will deliver this version to most end-user installations without manual intervention; enterprise administrators managing browser deployment via policy (e.g., Google Admin Console or ADMX templates) should verify update propagation and confirm version compliance. As a compensating control before patching can be verified across a managed fleet, organizations relying on CSP for high-assurance protections against XSS in critical internal web applications should consider temporarily enforcing web proxy allowlisting to restrict navigation to untrusted external origins. Note that network-layer controls do not address the Blink enforcement flaw itself and carry the trade-off of reduced user browsing capability; they are not a substitute for the vendor patch.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34753
GHSA-hf37-2h38-4573