Skip to main content

Google Chrome CVE-2026-15125

| EUVDEUVD-2026-42454 HIGH
Incorrect Authorization (CWE-863)
2026-07-08 chrome-cve-admin@google.com GHSA-r2p6-2gj6-77xg
8.8
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-delivered crafted page needs no privileges (PR:N) but requires the user to open it (UI:R); renderer-confined RCE keeps scope unchanged (S:U) with high C/I/A within the process.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 11:50 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
8.8 (HIGH)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
HIGH 8.8

DescriptionCVE.org

Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Sandboxed remote code execution in Google Chrome desktop before 150.0.7871.115 lets a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page, stemming from an inappropriate implementation in the Forms component (Chromium severity: High). No public exploit identified at time of analysis, and the flaw is not on CISA KEV; Google has shipped a fixed Stable channel build. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Exploit
Page triggers Forms implementation flaw
Execution
Execute arbitrary code in renderer sandbox
Impact
Attempt further chaining or data access

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open or navigate to an attacker-controlled crafted HTML page in a vulnerable Chrome build (before 150.0.7871.115) - the CVSS UI:R metric confirms mandatory user interaction, so this is not a zero-click flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) indicates a network-reachable, low-complexity, unauthenticated attack that requires user interaction (opening a page) and does not cross a privilege/scope boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page that abuses the Forms implementation flaw and lures a Chrome user to visit it via a phishing link, malvertising, or a compromised site. When the victim loads the page, the attacker's code executes inside the browser's renderer sandbox, potentially enabling further attacks such as chaining with a sandbox-escape bug. …
Remediation Vendor-released patch: update Google Chrome to 150.0.7871.115 or later on every desktop platform via the built-in updater (Settings > About Google Chrome) and relaunch the browser to apply it, per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deploy Chrome 150.0.7871.115 or later through your patch management system; identify and flag devices with auto-updates disabled for manual intervention. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy