Skip to main content

Google Chrome CVE-2026-13860

| EUVDEUVD-2026-40546 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-w3r9-fpv5-f824
4.2
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
vuln.today AI
4.2 MEDIUM

UI spoofing of Autofill security indicators may expose saved credential data (C:L); no availability impact is expected from a rendering-layer flaw, making A:N more accurate than the vendor-assigned A:L.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:23 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
4.2 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.2

DescriptionCVE.org

Incorrect security UI in Autofill in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted HTML page via phishing or malvertising
Delivery
Victim clicks into targeted form field
Exploit
Incorrect Autofill security UI renders
Execution
User deceived by spoofed browser UI indicator
Impact
Autofill populates and submits data to attacker endpoint

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target is running Google Chrome on Windows with a version below 150.0.7871.47, and that Autofill is enabled (the default configuration for Chrome). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 4.2 (Medium) accurately reflects a constrained real-world risk profile: AC:H indicates high exploitation complexity driven by the requirement for orchestrated user UI gestures, and UI:R confirms passive exploitation is not possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a phishing email containing a link to a crafted HTML page designed to trigger Chrome's Autofill overlay in a misleading context - for example, a fake login form that mimics a trusted site. When the victim, running Chrome on Windows prior to 150.0.7871.47, clicks into the form field as prompted, the incorrect Autofill security UI renders, presenting a spoofed prompt that appears to be a legitimate browser-managed credential dialog. …
Remediation Update Google Chrome on Windows to version 150.0.7871.47 or later, available via the stable channel and documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy