Skip to main content

Google Chrome CVE-2026-14023

| EUVDEUVD-2026-40711 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-wrj4-qfvj-56qq
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted page (AV:N), low complexity (AC:L), no privileges needed (PR:N), victim must visit page (UI:R); impact is integrity-only SOP bypass (I:H), no confidentiality or availability impact, scope unchanged (S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 15:45 vuln.today
CVSS changed
Jul 01, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in SanitizerAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Same-origin policy bypass in Google Chrome's SanitizerAPI before version 150.0.7871.47 allows a remote attacker to violate cross-origin integrity boundaries through a crafted HTML page that exploits insufficient input validation. The flaw targets a security-critical browser API whose purpose is precisely to prevent unsafe HTML injection, making the bypass particularly notable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page exploiting SanitizerAPI flaw
Delivery
Lure victim via phishing or redirect
Exploit
Victim navigates to malicious page in vulnerable Chrome
Execution
SanitizerAPI fails to reject crafted HTML constructs
Persist
Same-origin policy boundary bypassed
Impact
Attacker script manipulates cross-origin DOM or integrity

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim actively visits or is redirected to an attacker-controlled HTML page - no account, session, or elevated privileges are needed by the attacker (PR:N confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, 6.5 Medium) reflects network-reachable exploitation with low attack complexity and no required privileges, but mandates user interaction (UI:R) - the victim must visit an attacker-controlled page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page containing specially constructed HTML input designed to evade the SanitizerAPI's validation logic and smuggle SOP-violating content through the sanitization step. When a victim navigates to or is redirected to this page - via phishing email, malicious advertisement, or compromised site link - Chrome's SanitizerAPI processes the crafted input and produces output that retains cross-origin-violating attributes or constructs. …
Remediation The primary fix is to update Google Chrome to version 150.0.7871.47 or later via the browser's built-in update mechanism (Menu → Help → About Google Chrome) or through enterprise deployment tooling such as Google Admin Console or Microsoft Intune. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy