Skip to main content

Google Chrome CVE-2026-13946

| EUVDEUVD-2026-40634 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-30 chrome-cve-admin@google.com GHSA-7xj3-67hv-x5fp
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
4.7 MEDIUM

Changed scope to S:C because the flaw breaches cross-origin isolation boundaries, reading data from a security domain distinct from the attacker's origin.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 22:32 vuln.today
CVSS changed
Jul 01, 2026 - 20:22 NVD
4.3 (None) 4.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.3
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in ScriptInjections in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome on iOS (prior to 150.0.7871.47) stems from an inappropriate implementation in the ScriptInjections subsystem, exploitable by a remote attacker who can lure a victim to a crafted HTML page. The flaw allows the attacker's origin to read data belonging to a different, protected origin - a fundamental violation of the Same-Origin Policy on Apple's iOS platform. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML page exploiting ScriptInjections flaw
Delivery
Host page on attacker-controlled server
Exploit
Deliver phishing link to iOS Chrome user
Execution
Victim visits page in Chrome on iOS
Persist
ScriptInjections implementation incorrectly grants cross-origin script access
Impact
Victim's cross-origin data exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be using Google Chrome on an iOS device running a version prior to 150.0.7871.47 - no other platforms are affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-low despite the cross-origin nature of the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a phishing link to an iOS Chrome user who is authenticated to a sensitive internal web application. The victim clicks the link and visits the attacker-controlled HTML page, which uses the crafted page structure to trigger Chrome's ScriptInjections mechanism and read data (such as page content or cookies visible to the injected script) belonging to the victim's authenticated cross-origin session. …
Remediation Update Google Chrome on iOS to version 150.0.7871.47 or later, available through the Apple App Store. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy