Skip to main content

Google Chrome CVE-2026-11701

| EUVD-2026-35227 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 chrome-cve-admin@google.com GHSA-7c3h-9xjm-v983
Information Disclosure Google Red Hat Suse
Medium
Disputed · 5.4 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
SUSE
CRITICAL
qualitative
Red Hat
4.3 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 14:26 vuln.today
CVSS changed
Jun 09, 2026 - 14:22 NVD
5.4 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:16 nvd
MEDIUM 5.4
CVE Published
Jun 09, 2026 - 00:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's Guest View component prior to 149.0.7827.103 enables a remote unauthenticated attacker to deceive users about page content or origin by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation requires no privileges and no special network position, but does require the victim to visit a malicious page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker registers domain and hosts crafted HTML page
Delivery
Delivers link to victim via phishing or malvertising
Exploit
Victim clicks link in vulnerable Chrome (< 149.0.7827.103)
Execution
Crafted page triggers improper Guest View input handling
Persist
Chrome renders spoofed UI elements
Impact
Victim deceived into trusting malicious content or origin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation User interaction is required - the victim must navigate to or be redirected to a crafted HTML page (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 5.4 (Medium) reflects a network-accessible, low-complexity attack requiring no privileges but needing user interaction (UI:R), with limited confidentiality (C:L) and availability (A:L) impact and no integrity impact (I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and serves a crafted HTML page that triggers the improper Guest View implementation in Chrome. When a victim running a vulnerable Chrome version visits the page (e.g., via a phishing link or malvertising), Chrome renders spoofed UI elements - such as a falsified address bar display or security badge - that make a malicious origin appear legitimate, potentially tricking the user into submitting credentials or trusting harmful content. …
Remediation Update Google Chrome to version 149.0.7827.103 or later, which contains the vendor-released patch for this issue. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-11701 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy