Skip to main content

Google Chrome CVE-2026-15128

| EUVDEUVD-2026-42457 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 chrome-cve-admin@google.com GHSA-c8mv-ch2p-4gwv
6.1
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered UXSS requiring one user interaction (UI:R); S:C reflects cross-origin script execution; C:L/I:L captures partial cross-origin data access; no availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 12:16 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
6.1 (MEDIUM)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
MEDIUM 6.1

DescriptionCVE.org

Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Universal Cross-Site Scripting (UXSS) in Google Chrome's Forms implementation prior to version 150.0.7871.115 permits remote, unauthenticated attackers to inject arbitrary scripts or HTML across any browser origin by luring a victim to a crafted HTML page. The Scope:Changed metric in the CVSS vector reflects the defining characteristic of UXSS: unlike conventional XSS, the injected script executes outside the attacker-controlled page's origin, effectively bypassing the Same-Origin Policy and threatening any concurrent browser session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page with malformed form elements
Delivery
Victim navigates to page in vulnerable Chrome (< 150.0.7871.115)
Exploit
Forms renderer triggers UXSS condition
Execution
Injected script executes across browser origins
Impact
Active session tokens or sensitive data exfiltrated from other open tabs

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively visit a crafted HTML page using a vulnerable version of Google Chrome prior to 150.0.7871.115 (confirmed by UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 6.1 Medium CVSS score somewhat understates the real-world concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page containing specially constructed form elements that trigger the Forms implementation flaw in vulnerable Chrome versions. When a victim browses to this page - via a phishing link, malicious advertisement, or compromised site - the UXSS payload fires and executes JavaScript in the context of other origins already loaded in the browser, potentially harvesting session tokens, performing authenticated actions on corporate or banking portals, or silently redirecting the victim. …
Remediation The primary fix is to upgrade Google Chrome to version 150.0.7871.115 or later, the vendor-released patch confirmed by the Chrome stable channel advisory at http://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy