Skip to main content

Google Chrome CVE-2026-13886

| EUVDEUVD-2026-40572 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-30 chrome-cve-admin@google.com GHSA-pj3j-53c6-vxqw
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network delivery and no attacker privileges required, but mandatory user interaction; integrity-only impact with no scope change or confidentiality/availability consequence.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:30 vuln.today
CVSS changed
Jul 01, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient policy enforcement in Isolated Web Apps in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Content Security Policy bypass in Google Chrome's Isolated Web Apps (IWA) subsystem allows remote attackers to circumvent enforcement mechanisms via a specially crafted HTML page, resulting in high-integrity impact with no confidentiality or availability consequence. Affected versions are all Chrome releases prior to 150.0.7871.47. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page
Delivery
Delivers link via phishing or malicious redirect
Exploit
Victim visits page in unpatched Chrome
Execution
IWA CSP enforcement logic fails to apply policy
Persist
Attacker-controlled content executes past CSP restrictions
Impact
Integrity of IWA context compromised

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is running Google Chrome prior to 150.0.7871.47 on a desktop platform and navigates to an attacker-controlled HTML page (UI:R - active user interaction is mandatory). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) reflects a network-accessible, low-complexity, no-privilege-required attack that nonetheless demands user interaction (UI:R) and carries no confidentiality or availability impact - only a high integrity impact from the CSP bypass. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page designed to abuse Chrome's IWA Content Security Policy enforcement logic and distributes its URL via phishing, malvertising, or a compromised site. When a Chrome user prior to 150.0.7871.47 visits the page, the browser's IWA policy engine fails to enforce CSP restrictions, allowing the attacker-controlled page to load or execute resources - such as inline scripts or cross-origin content - that would otherwise be blocked. …
Remediation Update Google Chrome to version 150.0.7871.47 or later, which contains the vendor-released patch for this vulnerability per the Chrome stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy