EUVD-2026-35266
GHSA-q7vr-j5wc-2xch
Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
UI spoofing in Google Chrome prior to 149.0.7827.103 enables remote unauthenticated attackers to deceive users into interacting with falsified browser interface elements via a crafted HTML page. The vulnerability exploits insufficient input validation in Chrome's Input component (CWE-20), carrying a moderate CVSS 5.4 with confirmed low confidentiality impact and an Information Disclosure tag suggesting data exposure risk through spoofed UI surfaces such as fake dialogs or address bar manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively navigate to an attacker-controlled URL in an unpatched version of Google Chrome desktop (prior to 149.0.7827.103) - user interaction (UI:R) is mandatory and cannot be bypassed remotely. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium score reflects network-accessible exploitation (AV:N) with no required privileges (PR:N) but mandatory user interaction (UI:R), limited to low confidentiality impact (C:L) and no integrity or availability impact (I:N/A:N from the vector, though A:L appears in the provided score vector - note a minor discrepancy between the 5.4 score and A:L component worth verifying with vendor). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a web domain, hosts a crafted HTML page that triggers Chrome's insufficient input validation to render spoofed browser UI elements - such as a fake security dialog, a fabricated address bar URL, or a spoofed permission prompt - and distributes the link via email or social media to targeted users. When the victim opens the link in an unpatched Chrome instance, the falsified UI deceives them into entering credentials, approving a malicious permission, or believing they are on a trusted site. … |
| Remediation | Update Google Chrome to version 149.0.7827.103 or later immediately via Chrome's built-in update mechanism (Settings → Help → About Google Chrome triggers an update check) or through enterprise deployment tooling (Google Admin Console, GPO, or a third-party patch management platform). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today