Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Network delivery via crafted page requires victim visit (UI:R); no attacker privileges needed; SOP bypass yields limited cross-origin read only (C:L), with no integrity or availability impact confirmed.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Same-origin policy bypass in Google Chrome's Passwords component (versions prior to 150.0.7871.115) enables a remote attacker to read limited cross-origin data by directing a victim to a crafted HTML page. Chromium's own security team rates this High despite a CVSS base score of 4.3 (Medium), a discrepancy that likely reflects the sensitivity of credential-adjacent subsystem involvement rather than raw exploitability metrics alone. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be running Google Chrome for desktop in a version prior to 150.0.7871.115 and must actively visit or be redirected to an attacker-controlled crafted HTML page (UI:R is mandatory - passive network exposure is insufficient). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) scores 4.3 Medium, reflecting no attacker privileges required, low complexity, but mandatory user interaction and limited confidentiality-only impact with unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a domain and hosts a crafted HTML page engineered to trigger the SOP enforcement gap in Chrome's Passwords component. The victim - running Chrome below 150.0.7871.115 with the built-in password manager active - is lured to the page via a phishing email or malicious advertisement, causing Chrome to improperly permit cross-origin access to password policy data. … |
| Remediation | Update Google Chrome to version 150.0.7871.115 or later immediately using Chrome's built-in update mechanism (Settings → Help → About Google Chrome) or enterprise deployment tooling such as Google Admin or third-party patch management. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42453
GHSA-fh7w-cwh7-hvq9