Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AV:L and UI:R confirmed by description; C:L reflects partial SOP bypass; no integrity or availability impact stated.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.115 allowed a local attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Same-origin policy bypass in Google Chrome's WebAppInstalls component on Android exposes limited cross-origin data to a local attacker who can direct a user to visit a crafted HTML page. All Chrome for Android releases prior to 150.0.7871.115 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the victim must be running Google Chrome on Android specifically - this vulnerability does not affect Chrome on other platforms; (2) the victim must visit a crafted HTML page and interact with it (UI:R per CVSS), likely triggering a PWA install prompt or related WebAppInstalls flow; and (3) the attacker operates from a local attack position (AV:L), which in Android browser context likely means the crafted page is served locally or the attacker has some form of local access (e.g., same device, local network, or installed malicious app surfacing a page). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.3 (Low) and vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N reflect meaningful mitigating factors: the attack vector is local (AV:L), meaning the attacker operates within the same local context as the victim (e.g., same device or local network context on Android), and user interaction is required (UI:R) - the victim must visit the crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML page designed to interact with Chrome's WebAppInstalls flow on Android, then socially engineers a victim into visiting it - via phishing link, malicious QR code, or a compromised page on a shared network. When the victim interacts with the page in Chrome for Android (UI:R), the insufficient input validation allows the attacker to trigger a same-origin policy bypass, enabling limited access to cross-origin data such as responses or DOM content from another origin the victim is authenticated to. … |
| Remediation | The primary remediation is updating Chrome for Android to version 150.0.7871.115 or later, which resolves the insufficient input validation in WebAppInstalls. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42486
GHSA-hfq2-wc27-2rmq