Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
AC:H reflects the dual prerequisite of malicious extension installation plus crafted page delivery; UI:R captures mandatory active user participation; C:L/I:L reflects UXSS cross-origin script injection with no availability impact.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Incorrect security UI in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Incorrect security UI in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 enables Universal Cross-Site Scripting (UXSS), allowing script or HTML injection across web origins via a crafted HTML page. Exploitation requires that the victim user be socially engineered into installing a malicious extension, after which a crafted page triggers the CWE-79 flaw in the Extensions UI. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to have already installed a malicious Chrome extension, which itself requires active social engineering or compromise of an extension distribution channel - this is the primary limiting factor and the source of the AC:H rating. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the UXSS class of impact being technically significant, the aggregate risk signals for this vulnerability are consistently low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a malicious Chrome extension - potentially disguised as a productivity tool or hosted on a third-party site - and crafts a phishing campaign to convince a target user to install it. After installation, the attacker serves the victim a specially crafted HTML page that triggers the incorrect Extensions security UI behavior, injecting arbitrary scripts that execute across web origins the victim subsequently visits, enabling session token theft or content manipulation. … |
| Remediation | The primary fix is to update Google Chrome to version 150.0.7871.47 or later, which contains the vendor-released patch as documented in the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40645
GHSA-cwg6-g6fr-j834