Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
AnalysisAI
UI spoofing in Google Chrome's Passwords component (all versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to visually mislead users via a crafted HTML page, exploiting CWE-451 misrepresentation of critical UI information. The integrity-only impact (CVSS I:L, C:N, A:N) is consistent with a spoofed password prompt or save dialog that could trick users into revealing credentials or accepting malicious input. No public exploit code exists, EPSS is 0.03% (11th percentile), and CISA has not added this to KEV, making this a low operational priority despite being network-reachable.
Technical ContextAI
CWE-451 (User Interface Misrepresentation of Critical Information) describes flaws where a product displays information or UI elements in a way that misleads the user about the true context or origin. In this case, Chrome's internal Passwords subsystem - responsible for rendering password save/autofill prompts and credential UI - contains an 'inappropriate implementation' that a crafted HTML page can abuse to render a spoofed password-related UI element. The CVSS scope is unchanged (S:U), meaning the exploit is confined to the browser's own process and cannot directly escape to the OS. The affected CPE is Google Chrome prior to version 149.0.7827.53 on desktop platforms. The Chromium issue tracker reference (issues.chromium.org/issues/502403953) may contain further internal detail, but its public accessibility is not confirmed.
RemediationAI
The primary fix is to upgrade Google Chrome to version 149.0.7827.53 or later, which resolves this vulnerability per the vendor's stable channel release advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html. Chrome's auto-update mechanism should handle this for most users; enterprise administrators should verify deployment via fleet management tooling. No vendor-documented workaround is available for environments that cannot immediately update. As a compensating control, organizations can consider disabling Chrome's built-in password manager via enterprise policy (PasswordManagerEnabled=false) and redirecting users to a managed password manager - note this trade-off degrades password hygiene if no alternative is provided. Given the low CVSS score, low EPSS, and absence of known exploits, urgent emergency patching is not indicated; inclusion in the next routine patch cycle is appropriate.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34755
GHSA-fx4r-j53w-6x62