Skip to main content

Google Chrome CVE-2026-13818

| EUVDEUVD-2026-40504 MEDIUM
Improper Access Control (CWE-284)
2026-06-30 chrome-cve-admin@google.com GHSA-wvx6-6h8r-v7gv
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Attacker delivers exploit via network-hosted HTML requiring user visit (AV:N, UI:R); no privileges or credentials needed (PR:N); navigation bypass yields high integrity impact with no confidentiality or availability effect (C:N/I:H/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 18:28 vuln.today
CVSS changed
Jul 01, 2026 - 18:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:16 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page
Delivery
Deliver link to Chrome user via phishing or compromised site
Exploit
User visits page in Chrome prior to 150.0.7871.47
Execution
Crafted content triggers Passwords subsystem access control flaw
Persist
Bypass Chrome navigation restrictions
Impact
Redirect victim navigation to unintended or attacker-controlled destination

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running Google Chrome for desktop in any version prior to 150.0.7871.47. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 reflects a network-accessible flaw with low complexity and no privilege requirement, moderated by mandatory user interaction (UI:R) and no scope change (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page that exploits the inappropriate implementation in Chrome's Passwords component to bypass navigation restrictions, then delivers the link via phishing email or a compromised website. When a user running Chrome prior to 150.0.7871.47 visits the page, the crafted content triggers the access control failure, allowing the attacker to redirect or manipulate navigation to unintended destinations - potentially facilitating credential harvesting or bypassing same-site navigation guards. …
Remediation Update Google Chrome to version 150.0.7871.47 or later, as documented in the stable channel update advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy