Skip to main content

Google Chrome CVE-2026-13984

| EUVDEUVD-2026-40672 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-8xxp-h8m6-wxx9
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered via crafted HTML with no auth required (PR:N), but demands active victim navigation (UI:R); impact is UI deception only, so I:L and C/A remain N.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 17:28 vuln.today
CVSS changed
Jul 01, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 4.3
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Incorrect security UI in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's TabStrip component, fixed in version 150.0.7871.47, enables remote attackers to misrepresent browser security indicators through specially crafted HTML pages. The incorrect security UI rendering in the tab strip allows an attacker to deceive users about the true origin or security state of a webpage, creating phishing-enablement risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted HTML page link to victim
Delivery
Victim opens link in unpatched Chrome
Exploit
TabStrip renders incorrect security UI
Execution
Victim deceived about displayed page origin
Impact
Victim submits credentials or sensitive data to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively navigate to a crafted HTML page controlled by the attacker (UI:R), making this entirely dependent on some form of social engineering, malicious advertisement, or link delivery to achieve user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N correctly characterizes this as a network-reachable, low-complexity flaw requiring no authentication but demanding active user interaction (visiting a crafted page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page designed to trigger incorrect TabStrip rendering in Chrome, making the browser's tab strip display a trusted domain name or security indicator that does not correspond to the actual loaded resource. A victim who navigates to the attacker's URL - delivered via phishing email or malicious advertisement - sees a spoofed security UI suggesting a trusted site, potentially increasing the likelihood of credential submission or sensitive data entry. …
Remediation The primary remediation is to update Google Chrome to version 150.0.7871.47 or later, as confirmed by the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy