Skip to main content

Google Chrome CVE-2026-15124

| EUVDEUVD-2026-42453 MEDIUM
Improper Input Validation (CWE-20)
2026-07-08 chrome-cve-admin@google.com GHSA-fh7w-cwh7-hvq9
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network delivery via crafted page requires victim visit (UI:R); no attacker privileges needed; SOP bypass yields limited cross-origin read only (C:L), with no integrity or availability impact confirmed.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 12:14 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
4.3 (MEDIUM)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
MEDIUM 4.3

DescriptionCVE.org

Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Same-origin policy bypass in Google Chrome's Passwords component (versions prior to 150.0.7871.115) enables a remote attacker to read limited cross-origin data by directing a victim to a crafted HTML page. Chromium's own security team rates this High despite a CVSS base score of 4.3 (Medium), a discrepancy that likely reflects the sensitivity of credential-adjacent subsystem involvement rather than raw exploitability metrics alone. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page
Delivery
Victim redirected via phishing or malicious ad
Exploit
Chrome loads page in renderer
Execution
Passwords SOP enforcement gap triggered
Impact
Cross-origin password policy data read by attacker page

Vulnerability AssessmentAI

Exploitation The victim must be running Google Chrome for desktop in a version prior to 150.0.7871.115 and must actively visit or be redirected to an attacker-controlled crafted HTML page (UI:R is mandatory - passive network exposure is insufficient). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) scores 4.3 Medium, reflecting no attacker privileges required, low complexity, but mandatory user interaction and limited confidentiality-only impact with unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and hosts a crafted HTML page engineered to trigger the SOP enforcement gap in Chrome's Passwords component. The victim - running Chrome below 150.0.7871.115 with the built-in password manager active - is lured to the page via a phishing email or malicious advertisement, causing Chrome to improperly permit cross-origin access to password policy data. …
Remediation Update Google Chrome to version 150.0.7871.115 or later immediately using Chrome's built-in update mechanism (Settings → Help → About Google Chrome) or enterprise deployment tooling such as Google Admin or third-party patch management. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy