Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's WebView component on Android (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive cross-origin data by directing victims to a specially crafted HTML page. The flaw resides in an inappropriate implementation within WebView (CWE-474), effectively undermining same-origin policy protections that normally isolate web content across origins - an attacker can read data they should not have access to. No public exploit has been identified at time of analysis, and an EPSS score of 0.03% (10th percentile) signals very low current exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
WebView is Android's embedded browser rendering engine, used by Chrome and third-party apps to display web content within the application context. CWE-474 (Use of Function with Inconsistent Implementations) describes a root cause where a function behaves differently across platforms or contexts than its specification requires - in this case, Chrome's WebView on Android implements cross-origin data handling in a way that diverges from the expected same-origin policy enforcement present in the desktop browser. This inconsistency creates a path for an attacker-controlled page to read responses or data from a different origin, potentially including authenticated API responses, cookies, or private resources loaded in the same WebView context. The vulnerability is platform-specific to Android and does not affect Chrome on Windows, macOS, Linux, or iOS based on available data.
RemediationAI
The primary fix is to update Google Chrome on Android to version 149.0.7827.53 or later, which contains the vendor-released patch per the Google Chrome stable channel advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Android users can apply the update via the Google Play Store or through Chrome's built-in update mechanism (Settings → About Chrome → Update). For organizations managing Android fleets via MDM (Mobile Device Management), enforce the minimum Chrome version policy to 149.0.7827.53. If immediate patching is not feasible, the most actionable compensating control is to restrict users from visiting untrusted web content through Chrome for Android - note this trades usability for risk reduction and does not eliminate the underlying flaw. Disabling WebView-based features in enterprise-managed apps that embed Chrome WebView could further reduce the attack surface, though this may break app functionality. No workaround eliminates the vulnerability without the patch.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34559
GHSA-xhhm-m8m8-j8q5