Skip to main content

Google Chrome CVE-2026-13851

| EUVDEUVD-2026-40537 CRITICAL
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-xh8q-x6hw-jhv5
9.1
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
6.5 MEDIUM

A crafted HTML page requires the victim to navigate to it, so UI:R; impact is an access-control/integrity bypass (I:H) with no confidentiality loss and no clear availability effect (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
CRITICAL
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:23 vuln.today
CVSS changed
Jul 01, 2026 - 16:22 NVD
9.1 (CRITICAL)
CVE Published
Jun 30, 2026 - 23:16 cve.org
CRITICAL 9.1
CVE Published
Jun 30, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
Page invokes WebAppInstalls flow
Exploit
Untrusted input bypasses input validation
Execution
Discretionary access control bypassed
Impact
Integrity/availability impact on device

Vulnerability AssessmentAI

Exploitation Exploitation targets the WebAppInstalls (web app / PWA installation) component of Chrome on Android and requires the victim to load an attacker-crafted HTML page, so in practice the user must navigate to attacker-controlled content - a limiting factor the vendor's UI:N rating omits. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page and lures an Android Chrome user to open it (for example via a phishing link or malvertising). The page abuses the insufficiently validated WebAppInstalls flow to bypass discretionary access controls, letting the attacker influence integrity-sensitive state or app-permission decisions on the device. …
Remediation Vendor-released patch: update Google Chrome for Android to 150.0.7871.47 or later, per the Chrome Releases advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Chrome for Android deployment scope across managed and unmanaged devices; notify mobile device management (MDM) team to prepare patch deployment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy