Skip to main content

Google Chrome CVE-2026-14153

| EUVDEUVD-2026-40840 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-w785-mvh3-x6r4
5.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-delivered via crafted page (AV:N); specific user gestures required raise complexity (AC:H, UI:R); spoofed UI can elicit credential disclosure (C:H); no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 02:45 vuln.today
CVSS changed
Jul 01, 2026 - 02:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 5.3

DescriptionCVE.org

Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in the Glic component of Google Chrome (all versions prior to 150.0.7871.47) enables a remote attacker to misrepresent browser interface elements via a crafted HTML page, provided the victim is socially engineered into performing specific UI gestures. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) assigns high confidentiality impact, suggesting the spoofed UI can be leveraged to elicit disclosure of sensitive information such as credentials or session data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious HTML page targeting Glic
Delivery
Victim is phished into visiting the page
Exploit
Victim performs specific UI gestures as directed
Execution
Glic misrepresents browser UI elements (CWE-451)
Impact
Victim discloses sensitive information via spoofed prompt

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions to be met simultaneously. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 5.3 (Medium) is consistent with the vector breakdown: high attack complexity (AC:H) due to the requirement for specific user-triggered UI gestures, and mandatory user interaction (UI:R), both of which substantially suppress exploitability in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page designed to trigger Glic's inappropriate UI rendering when the victim performs a specific sequence of gestures - such as a series of clicks or swipes in a particular area of the page. The attacker delivers this page via a phishing email or a compromised site, and social engineers the victim into performing those gestures (e.g., disguising the required interaction as a CAPTCHA or accessibility exercise). …
Remediation The primary fix is to update Google Chrome to version 150.0.7871.47 or later, which was released via the stable channel and confirmed in the vendor advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy