Skip to main content

Google Chrome CVE-2026-14155

| EUVDEUVD-2026-40842 MEDIUM
Improper Access Control (CWE-284)
2026-06-30 chrome-cve-admin@google.com GHSA-r7cf-wj4w-p5cq
6.5
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted page requiring victim interaction; no attacker privileges needed; confidentiality high for cross-origin data leak; scope unchanged as the browser process does not escalate to another security authority.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 14:39 vuln.today
CVSS changed
Jul 01, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 23:17 cve.org
MEDIUM 6.5

DescriptionCVE.org

Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 exposes sensitive user data from other origins when a victim visits a specially crafted HTML page that exploits insufficient policy enforcement in the StorageAccessAPI. The API, designed to manage third-party storage access in privacy-restricting browser contexts, fails to enforce cross-origin boundaries correctly, allowing an attacker to read data belonging to unrelated origins. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page
Delivery
Victim navigates to malicious page
Exploit
StorageAccessAPI policy enforcement bypassed in Chrome
Execution
Cross-origin storage data read without authorization
Impact
Sensitive data exfiltrated to attacker infrastructure

Vulnerability AssessmentAI

Exploitation The victim must actively navigate to an attacker-controlled HTML page - passive or drive-by exploitation without user interaction is not possible (UI:R in CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is driven primarily by the High confidentiality impact with no integrity or availability impact (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page containing JavaScript that invokes the StorageAccessAPI to request and gain unauthorized access to cross-origin storage data. When a victim browses to the malicious page (required user interaction per UI:R), the page silently reads cookies, localStorage, or session tokens from a target origin and exfiltrates them to the attacker's server. …
Remediation Update Google Chrome to version 150.0.7871.47 or later using Chrome's built-in update mechanism (Settings → About Chrome) or via enterprise deployment tools. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy