Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Renderer-process compromise is a substantial prerequisite that raises AC to H; no victim-side authentication required; impact is limited to UI spoofing with no availability component.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome's Network component (versions prior to 150.0.7871.47) can be triggered by a remote attacker who has already compromised the renderer process, allowing browser UI elements to be faked via a crafted HTML page. This is a chained exploit - not a standalone flaw - requiring both prior renderer compromise and user interaction, which significantly constrains real-world risk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two chained prerequisites: (1) the attacker must have already achieved renderer-process compromise in the victim's Chrome browser - a significant prerequisite typically requiring a separate, distinct browser vulnerability to be exploited first; and (2) the victim must actively visit or be redirected to a crafted HTML page (user interaction required, consistent with UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) presents an incomplete picture by using AC:L, which does not capture the substantial implicit prerequisite of renderer-process compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has separately exploited a renderer-process vulnerability in the victim's Chrome browser delivers a crafted HTML page that passes malformed input through the Network component, exploiting the insufficient validation to spoof UI elements such as the origin indicator or address bar. The victim, presented with a convincing spoofed browser UI suggesting a trusted site, may submit credentials or sensitive data to an attacker-controlled destination. … |
| Remediation | Update Google Chrome to version 150.0.7871.47 or later; this is the vendor-confirmed fix per the stable channel advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40822
GHSA-7r54-w6p6-rv2x