Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Network-delivered with no attacker privileges needed but active user interaction required; impact is confidentiality-only with no scope change, consistent with cross-origin data leak.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in WebUI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data exfiltration in Google Chrome's WebUI component (versions prior to 150.0.7871.47) enables remote attackers to leak sensitive data across origin boundaries by delivering crafted malicious network traffic to an unpatched browser. The flaw arises from insufficient input validation (CWE-20) within the WebUI layer, undermining same-origin policy protections and exposing data from isolated origins to attacker-controlled contexts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running Google Chrome prior to version 150.0.7871.47 and to actively interact with attacker-controlled content or network traffic - confirmed by UI:R in the provided CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N yields a 6.5 Medium score, reflecting a network-reachable, low-complexity attack requiring no attacker authentication but mandating active user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker establishes a malicious web server and crafts network traffic or page content designed to trigger the WebUI input validation flaw in an unpatched Chrome browser. When a victim user visits the attacker's page or receives the crafted traffic - satisfying the UI:R requirement - Chrome's WebUI component improperly processes the input, causing data from a cross-origin context (such as contents of a co-loaded authenticated session or another browser tab) to be leaked to the attacker. … |
| Remediation | The primary remediation is upgrading Google Chrome to version 150.0.7871.47 or later, which includes the vendor-released patch per the stable channel advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40579
GHSA-x5fc-38m7-rp7v