Skip to main content

Google Chrome CVE-2026-14059

| EUVDEUVD-2026-40746 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-30 chrome-cve-admin@google.com GHSA-cvpc-8wff-778c
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered crafted page requires no attacker privileges but mandates user navigation; cross-origin data leak yields high confidentiality impact with zero integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 14:36 vuln.today
CVSS changed
Jul 01, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Insufficient policy enforcement in Related-Website-Sets in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 stems from insufficient policy enforcement in the Related-Website-Sets feature, enabling a remote attacker to read sensitive cross-origin data by delivering a crafted HTML page to a victim. The CVSS 6.5 score with High confidentiality impact reflects meaningful exposure potential, though Google internally rated this as Low severity and EPSS sits at 0.17% (7th percentile), suggesting limited real-world exploitation risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker registers domain and crafts malicious HTML page
Delivery
Deliver page link via phishing or malvertising
Exploit
Victim navigates to page in Chrome < 150.0.7871.47
Execution
Browser fails to enforce Related-Website-Sets policy boundary
Persist
Attacker script reads restricted cross-origin data
Impact
Sensitive data exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is running Google Chrome for desktop in a version prior to 150.0.7871.47 and visits an attacker-controlled HTML page - user interaction in the form of page navigation is mandatory (UI:R confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N vector indicates a network-reachable, low-complexity attack requiring no attacker privileges but mandating user interaction, with high confidentiality impact and no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and crafts an HTML page that exploits the Related-Website-Sets policy enforcement flaw to read data from a cross-origin context the attacker's site should not be able to access. The attacker then delivers a link to this page via phishing, malvertising, or embedding in a compromised site, and any Chrome user prior to 150.0.7871.47 who visits the page has cross-origin data silently exfiltrated to the attacker. …
Remediation The primary fix is to update Google Chrome to version 150.0.7871.47 or later, as documented in the Chrome stable channel release notes at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy