Skip to main content

Google Chrome CVE-2026-15775

| EUVDEUVD-2026-44482 MEDIUM
Origin Validation Error (CWE-346)
2026-07-14 Chrome GHSA-qpx7-r6j6-cqf3
6.5
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
9.3 CRITICAL

SOP bypass crosses origin security scopes (S:C); both C:H and I:H apply as cross-origin data can be read and written via the bypassed policy.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 18:31 vuln.today
CVSS changed
Jul 15, 2026 - 16:22 NVD
6.5 (MEDIUM)
Patch available
Jul 14, 2026 - 23:20 EUVD
CVE Published
Jul 14, 2026 - 20:09 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 14, 2026 - 20:09 cve.org
MEDIUM 6.5

DescriptionCVE.org

Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Same Origin Policy bypass in Google Chrome's V8 JavaScript engine (prior to 150.0.7871.125) allows a remote attacker to cross origin security boundaries via a crafted HTML page, enabling high-impact integrity violations against cross-origin content. Exploitation requires the victim to visit the malicious page (UI:R), limiting automated mass exploitation - a constraint confirmed by SSVC's Automatable:no finding. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page
Delivery
Victim lured to malicious page via phishing or malvertising
Exploit
Malicious JavaScript triggers V8 origin validation flaw
Execution
Same Origin Policy enforcement bypassed
Persist
Attacker script accesses cross-origin data
Impact
Cross-origin session or content exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open a crafted HTML page in a vulnerable Google Chrome instance (any version prior to 150.0.7871.125); this user interaction (UI:R) is a hard prerequisite and prevents automated mass exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS score of 6.5 (Medium) reflects network delivery (AV:N), low attack complexity (AC:L), no authentication required on the attacker's side (PR:N), mandatory user interaction (UI:R), and an integrity-only base impact (I:H, C:N, A:N) within unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page containing JavaScript that triggers V8's flawed origin validation logic and hosts it on an attacker-controlled domain. A victim is directed to the page via a phishing link or malvertising redirect, and upon loading it in a vulnerable Chrome instance, the SOP bypass executes - allowing the attacker's script to read cookies, session tokens, or DOM content from a different origin open in the victim's browser. …
Remediation Update Google Chrome to version 150.0.7871.125 or later; this is the vendor-released patch as documented at https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_0353146366.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy