What is the CVSS score of EUVD-2026-35221?

EUVD-2026-35221 has a contested CVSS base score of 4.3 from a third party (e.g. CISA-ADP), while the vendor rates it Medium. vuln.today uses the vendor rating as authoritative.

Is there a patch available for EUVD-2026-35221?

Yes, a patch is available for EUVD-2026-35221. Update the affected software to the latest version immediately.

Google Chrome EUVD-2026-35221

| CVE-2026-11695 MEDIUM

Protection Mechanism Failure (CWE-693)

2026-06-09 chrome-cve-admin@google.com

GHSA-q4rm-h6xg-hcmq

Information Disclosure Google Red Hat Suse

Medium

Disputed · 4.3 NVD

Severity by source

Sources disagree (Medium–Critical)

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

SUSE

CRITICAL

qualitative

Red Hat

7.4 HIGH

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 02:56 vuln.today

CVSS changed

Jun 09, 2026 - 02:22 NVD

4.3 (MEDIUM)

CVE Published

Jun 09, 2026 - 00:16 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 00:16 nvd

MEDIUM 4.3

DescriptionCVE.org

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Cross-origin data leakage in Google Chrome's Passwords feature (all versions prior to 149.0.7827.103) can be triggered by a remote unauthenticated attacker delivering a crafted HTML page to a victim. The flaw results from an inappropriate implementation classified under CWE-693 (Protection Mechanism Failure), meaning the browser's same-origin policy enforcement is bypassed specifically within the Passwords subsystem. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Host crafted HTML page

Delivery

Deliver link to target via phishing or redirect

Exploit

Victim opens page in unpatched Chrome

Execution

Crafted page triggers Passwords subsystem flaw

Impact

Cross-origin credential or page data leaked to attacker

Access

Host crafted HTML page

Delivery

Deliver link to target via phishing or redirect

Exploit

Victim opens page in unpatched Chrome

Execution

Crafted page triggers Passwords subsystem flaw

Impact

Cross-origin credential or page data leaked to attacker

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the victim user visit a crafted HTML page in an affected Chrome version (prior to 149.0.7827.103) - this is the sole prerequisite, as confirmed by the UI:R flag in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) characterizes this as a network-reachable, low-complexity attack requiring no privileges but necessitating user interaction - specifically, a victim visiting a crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker hosts a malicious HTML page containing crafted JavaScript or markup designed to trigger the flawed behavior in Chrome's Passwords component, then lures a target user to visit the page via phishing, a compromised ad, or a malicious link. Upon page load and interaction with the Passwords subsystem, the browser inadvertently exposes data belonging to a different origin - potentially including credential-related state - to the attacker-controlled page. …
Remediation	The primary fix is to update Google Chrome to version 149.0.7827.103 or later via the browser's built-in update mechanism (chrome://settings/help) or enterprise deployment tooling. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed

EUVD-2026-35221 vulnerability details – vuln.today

Back

Google Chrome EUVD-2026-35221

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code