EUVD-2026-35258
GHSA-q4p8-cgh7-q73x
Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Site isolation bypass in Google Chrome's Extensions subsystem prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to defeat cross-origin security boundaries via a crafted HTML page requiring one user interaction. The root cause is CWE-20 (Improper Input Validation) in the Extensions layer, meaning the Extensions subsystem fails to adequately validate untrusted input before acting on it across site isolation boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two stacked conditions: (1) the attacker must have already achieved renderer process compromise via a separate vulnerability - this is explicitly stated in the CVE description and is a significant, non-trivial prerequisite; (2) the victim must perform one user interaction such as navigating to or clicking within a crafted HTML page (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score is reasonable given the significant chained prerequisite: exploiting this vulnerability requires the attacker to have already compromised the renderer process via a separate, unspecified vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first exploits a separate renderer-level vulnerability in Chrome (for example, a V8 or Blink bug) to gain code execution within the sandboxed renderer process, then serves the victim a crafted HTML page via a malicious or compromised website. When the user navigates to or interacts with the page (UI:R), the crafted content triggers the Extensions subsystem's insufficient input validation, allowing the attacker to bypass site isolation and tamper with cross-origin page content - for example, injecting malicious scripts into a banking site loaded in an adjacent tab. … |
| Remediation | Update Google Chrome to version 149.0.7827.103 or later, which is the confirmed vendor-released patch per the stable channel update advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today