Skip to main content

Google Chrome CVE-2026-13944

| EUVDEUVD-2026-40632 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-30 chrome-cve-admin@google.com GHSA-378g-rr79-9cqw
3.1
CVSS 3.1 · Vendor: google

Severity by source

Vendor (google) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Network-delivered via crafted page (AV:N), but specific UI gestures raise complexity (AC:H); no auth needed (PR:N); only partial cross-origin confidentiality leak with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 01, 2026 - 22:31 vuln.today
CVSS changed
Jul 01, 2026 - 20:22 NVD
3.1 (LOW)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in DataTransfer in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome's DataTransfer implementation on macOS exposes sensitive content from one origin to an attacker-controlled page by exploiting improper boundary enforcement during user-driven UI gestures such as drag-and-drop. Versions prior to 150.0.7871.47 on Mac are affected; the flaw is platform-specific to macOS, limiting scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page on attacker server
Delivery
Lure macOS Chrome user to page via phishing
Exploit
Social-engineer victim into drag-and-drop gesture
Execution
DataTransfer boundary check bypassed
Persist
Cross-origin sensitive data captured
Impact
Exfiltrate data to attacker-controlled endpoint

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: the victim must be running Google Chrome on macOS (not Windows or Linux), the victim must be running a version prior to 150.0.7871.47, and the victim must be socially engineered into performing specific UI gesture sequences (such as drag-and-drop interactions) on an attacker-controlled HTML page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate despite the network attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page that embeds a cross-origin resource (such as a sensitive authenticated document) alongside UI elements designed to guide the victim into performing a specific drag-and-drop gesture, such as dragging apparent 'decorative' content across the page. On a macOS Chrome victim visiting this page, the DataTransfer event handler in the crafted page captures cross-origin data that should have been isolated, transmitting it back to the attacker's server. …
Remediation Update Google Chrome on macOS to version 150.0.7871.47 or later immediately; this is the vendor-released patch confirmed by the Chrome stable channel advisory at chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy