Skip to main content

Google Chrome CVE-2026-13989

| EUVDEUVD-2026-40677 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-q49j-767p-6v57
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.3 MEDIUM

Attack is network-delivered via crafted HTML (AV:N) but requires prior renderer compromise (AC:H); UI:R for page interaction; I:H for full security indicator spoofing; C and A are N.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 22:01 vuln.today
CVSS changed
Jul 01, 2026 - 19:52 NVD
6.5 (MEDIUM) 5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 nvd
MEDIUM 5.3
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Inappropriate implementation in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's PageInfo component affects all desktop versions prior to 150.0.7871.47, enabling an attacker who has already compromised the renderer process to present deceptive browser security indicators to the user via a crafted HTML page. The vulnerability stems from an inappropriate implementation in the PageInfo subsystem (CWE-451), which controls the trusted security panel users consult to assess site authenticity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Exploit separate Chrome renderer vulnerability
Delivery
Gain renderer process code execution
Exploit
Load crafted HTML page targeting PageInfo
Execution
Trigger PageInfo misrepresentation flaw
Persist
Spoof browser security UI to victim
Impact
Deceive user into trusting malicious origin

Vulnerability AssessmentAI

Exploitation Exploitation requires two sequential conditions: first, the attacker must have already compromised the Chrome renderer process via a separate vulnerability (this is the AC:H driver in the CVSS vector); second, the victim user must interact with a crafted HTML page (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium rating is supported by the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N, where AC:H correctly captures the prerequisite of renderer process compromise - a significant barrier that materially lowers real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first exploits a separate renderer process vulnerability (such as a memory corruption bug in Chrome's JavaScript engine) to gain code execution within the sandboxed renderer. From that compromised renderer, the attacker serves a crafted HTML page that triggers the PageInfo implementation flaw, causing Chrome to display falsified security indicators - for example, presenting a phishing page as a trusted, certificate-verified origin. …
Remediation Upgrade Google Chrome to version 150.0.7871.47 or later - this is the vendor-released patch confirmed by the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-13989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy