Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AC raised to High because 'privileged network position' (MiTM) is an explicit prerequisite; all other metrics follow the description directly.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to bypass content security policy via malicious network traffic. (Chromium security severity: Medium)
AnalysisAI
Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation strictly requires that the attacker hold a privileged network position - the ability to intercept and inject traffic between the victim's Chrome browser and a web server (e.g., ARP spoofing, rogue access point, compromised gateway, or BGP-level hijack). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N scores 6.5 (Medium), but the AC:L assignment arguably understates the real-world difficulty: the description explicitly requires an 'attacker in a privileged network position,' which in practice means MiTM capability - a non-trivial prerequisite that is better reflected by AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating as a man-in-the-middle on a network segment the victim traverses - for example via a rogue Wi-Fi access point or ARP spoofing on a corporate LAN - intercepts Chrome's HTTP or HTTPS negotiation and injects crafted network responses that exploit the improper CSP implementation. When the victim browses to any web page (the required user interaction), Chrome processes the manipulated traffic and loads attacker-controlled resources that CSP policy should have blocked, enabling script injection or unauthorized data access. … |
| Remediation | Update Google Chrome to version 150.0.7871.47 or later, which contains the vendor-released patch per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40562
GHSA-wx7c-5g9f-68r4