Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
AC:H reflects the mandatory renderer compromise prerequisite; AV:N and UI:R align with crafted HTML delivery; S:C and C:L capture limited cross-origin data exposure with no integrity or availability impact.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions to be met simultaneously: the attacker must have already achieved renderer process compromise through a separate, prior vulnerability, AND the victim user must interact with a crafted HTML page (confirming UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS base score of 4.7 (Medium) reflects limited confidentiality impact (C:L) and no integrity or availability consequence, but the assigned vector AV:N/AC:L/PR:N/UI:R/S:C warrants scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a crafted HTML page that first exploits a separate renderer-level vulnerability to gain control of the Chrome renderer process, then uses this CVE's origin validation flaw in the Passwords subsystem to read cross-origin credential data from a different site. No public proof-of-concept is known, making this scenario most plausible as part of a targeted, chained browser exploit rather than opportunistic mass exploitation. |
| Remediation | Update Google Chrome to version 149.0.7827.197 or later, which is confirmed as the vendor-released patch per the stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39046
GHSA-3pfj-fj4c-9hh9