Skip to main content

Google Chrome Android CVE-2026-15115

| EUVDEUVD-2026-42486 LOW
Improper Input Validation (CWE-20)
2026-07-08 chrome-cve-admin@google.com GHSA-hfq2-wc27-2rmq
3.3
CVSS 3.1 · Vendor: google

Severity by source

Vendor (google) PRIMARY
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.3 LOW

AV:L and UI:R confirmed by description; C:L reflects partial SOP bypass; no integrity or availability impact stated.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 09, 2026 - 12:13 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
3.3 (LOW)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.115 allowed a local attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Same-origin policy bypass in Google Chrome's WebAppInstalls component on Android exposes limited cross-origin data to a local attacker who can direct a user to visit a crafted HTML page. All Chrome for Android releases prior to 150.0.7871.115 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Social-engineer victim via phishing link
Delivery
Victim opens crafted HTML page in Chrome Android
Exploit
Page triggers WebAppInstalls input validation flaw
Execution
Same-origin policy boundary bypassed
Impact
Attacker reads limited cross-origin data from victim's browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the victim must be running Google Chrome on Android specifically - this vulnerability does not affect Chrome on other platforms; (2) the victim must visit a crafted HTML page and interact with it (UI:R per CVSS), likely triggering a PWA install prompt or related WebAppInstalls flow; and (3) the attacker operates from a local attack position (AV:L), which in Android browser context likely means the crafted page is served locally or the attacker has some form of local access (e.g., same device, local network, or installed malicious app surfacing a page). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.3 (Low) and vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N reflect meaningful mitigating factors: the attack vector is local (AV:L), meaning the attacker operates within the same local context as the victim (e.g., same device or local network context on Android), and user interaction is required (UI:R) - the victim must visit the crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page designed to interact with Chrome's WebAppInstalls flow on Android, then socially engineers a victim into visiting it - via phishing link, malicious QR code, or a compromised page on a shared network. When the victim interacts with the page in Chrome for Android (UI:R), the insufficient input validation allows the attacker to trigger a same-origin policy bypass, enabling limited access to cross-origin data such as responses or DOM content from another origin the victim is authenticated to. …
Remediation The primary remediation is updating Chrome for Android to version 150.0.7871.115 or later, which resolves the insufficient input validation in WebAppInstalls. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy