Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Changed scope to S:C because the flaw breaches cross-origin isolation boundaries, reading data from a security domain distinct from the attacker's origin.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in ScriptInjections in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome on iOS (prior to 150.0.7871.47) stems from an inappropriate implementation in the ScriptInjections subsystem, exploitable by a remote attacker who can lure a victim to a crafted HTML page. The flaw allows the attacker's origin to read data belonging to a different, protected origin - a fundamental violation of the Same-Origin Policy on Apple's iOS platform. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to be using Google Chrome on an iOS device running a version prior to 150.0.7871.47 - no other platforms are affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low despite the cross-origin nature of the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a phishing link to an iOS Chrome user who is authenticated to a sensitive internal web application. The victim clicks the link and visits the attacker-controlled HTML page, which uses the crafted page structure to trigger Chrome's ScriptInjections mechanism and read data (such as page content or cookies visible to the injected script) belonging to the victim's authenticated cross-origin session. … |
| Remediation | Update Google Chrome on iOS to version 150.0.7871.47 or later, available through the Apple App Store. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40634
GHSA-7xj3-67hv-x5fp