Skip to main content

Google Chrome CVE-2026-14118

| EUVDEUVD-2026-40805 MEDIUM
Improper Input Validation (CWE-20)
2026-06-30 chrome-cve-admin@google.com GHSA-j39g-274j-3wpm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable via crafted page, no privileges needed, but active UI gestures required; confidentiality-only impact with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 16:36 vuln.today
CVSS changed
Jul 01, 2026 - 16:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionNVD

Insufficient data validation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leak in Google Chrome DevTools prior to version 150.0.7871.47 exposes sensitive information from foreign origins when a victim visits a crafted HTML page and performs attacker-directed UI gestures. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms high confidentiality impact with no integrity or availability consequences. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious HTML page
Delivery
Victim lured to visit page via phishing or redirect
Exploit
Victim performs specific UI gestures on page
Execution
DevTools input validation bypassed
Impact
Cross-origin data exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the victim runs Google Chrome prior to version 150.0.7871.47; (2) the victim navigates to a crafted HTML page controlled by the attacker; (3) the victim performs specific UI gestures on or within that page - this is a confirmed prerequisite per the CVE description and reflected in CVSS UI:R. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 Medium (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects a network-reachable, low-complexity attack path with high confidentiality impact, but the required user interaction (UI:R - specific UI gestures) is a meaningful constraint that prevents fully silent drive-by exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page and distributes it via phishing or a compromised website, then relies on social engineering to induce the victim into performing specific UI gestures - such as clicking particular elements or interacting with browser controls - while the page is open. Through the DevTools validation gap, the attacker's page reads cross-origin data the victim's browser can access (e.g., content from an authenticated session on another tab or origin), exfiltrating it to an attacker-controlled endpoint. …
Remediation Update Google Chrome to version 150.0.7871.47 or later, which is the vendor-released patch addressing this vulnerability (stable channel update, https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy