Skip to main content

Google Chrome CVE-2026-11695

| EUVD-2026-35221 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-09 chrome-cve-admin@google.com GHSA-q4rm-h6xg-hcmq
Information Disclosure Google Red Hat Suse
Medium
Disputed · 4.3 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
SUSE
CRITICAL
qualitative
Red Hat
7.4 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 02:56 vuln.today
CVSS changed
Jun 09, 2026 - 02:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Cross-origin data leakage in Google Chrome's Passwords feature (all versions prior to 149.0.7827.103) can be triggered by a remote unauthenticated attacker delivering a crafted HTML page to a victim. The flaw results from an inappropriate implementation classified under CWE-693 (Protection Mechanism Failure), meaning the browser's same-origin policy enforcement is bypassed specifically within the Passwords subsystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page
Delivery
Deliver link to target via phishing or redirect
Exploit
Victim opens page in unpatched Chrome
Execution
Crafted page triggers Passwords subsystem flaw
Impact
Cross-origin credential or page data leaked to attacker
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim user visit a crafted HTML page in an affected Chrome version (prior to 149.0.7827.103) - this is the sole prerequisite, as confirmed by the UI:R flag in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) characterizes this as a network-reachable, low-complexity attack requiring no privileges but necessitating user interaction - specifically, a victim visiting a crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious HTML page containing crafted JavaScript or markup designed to trigger the flawed behavior in Chrome's Passwords component, then lures a target user to visit the page via phishing, a compromised ad, or a malicious link. Upon page load and interaction with the Passwords subsystem, the browser inadvertently exposes data belonging to a different origin - potentially including credential-related state - to the attacker-controlled page. …
Remediation The primary fix is to update Google Chrome to version 149.0.7827.103 or later via the browser's built-in update mechanism (chrome://settings/help) or enterprise deployment tooling. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-11695 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy