Skip to main content

Google Chrome CVE-2026-14381

| EUVDEUVD-2026-41163 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-07-01 Chrome GHSA-r2mf-x5c6-qff9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered via crafted page requiring active user interaction with install prompt (UI:R); spoofing yields only low integrity impact with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
CVSS changed
Jul 02, 2026 - 18:22 NVD
4.3 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jul 02, 2026 - 17:25 vuln.today
CVSS changed
Jul 02, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jul 01, 2026 - 22:21 cve.org
MEDIUM 4.3
CVE Published
Jul 01, 2026 - 22:21 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

UI spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.46) enables remote attackers to misrepresent security indicators during Progressive Web App installation prompts via a crafted HTML page. The incorrect security UI (CWE-451) can deceive users into believing they are installing a legitimate, trusted application when they are not, resulting in a low-integrity impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page on attacker-controlled server
Delivery
Lure victim to page via phishing or malvertising
Exploit
Trigger WebAppInstalls PWA installation dialog
Execution
Spoof origin or trust indicators in installation UI
Impact
Victim approves installation of malicious web app

Vulnerability AssessmentAI

Exploitation The victim must actively navigate to an attacker-controlled web page AND interact with a PWA installation prompt triggered by that page - passive browsing is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) reflects a network-reachable vector with no required privileges and no required configuration changes, but mandates user interaction (UI:R) and yields only a low integrity impact with no confidentiality or availability consequence (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page that triggers Chrome's WebAppInstalls installation dialog with manipulated security UI elements - for example, spoofing the displayed origin name or security badge to impersonate a trusted service. A user who visits the page and interacts with the installation prompt is misled into approving installation of a malicious or untrusted web app. …
Remediation Upgrade Google Chrome to version 150.0.7871.46 or later, which is confirmed as the patched release per the vendor advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

CVE-2026-14381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy