Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SOP bypass inherently crosses origin boundaries (S:C); limited C:L and I:L reflect partial cross-origin read/write rather than full system compromise.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Same-origin policy bypass in Google Chrome's DevTools component exposes all Chrome versions prior to 149.0.7827.115 to cross-origin integrity violations when a victim visits a crafted HTML page. The root cause (CWE-346) is insufficient origin validation within DevTools policy enforcement, allowing a remote unauthenticated attacker to circumvent the browser's fundamental isolation boundary and tamper with cross-origin content. No public exploit identified at time of analysis; EPSS of 0.02% (4th percentile) and absence of a CISA KEV listing indicate currently low real-world exploitation pressure despite the High Chromium severity rating.
Technical ContextAI
Google Chrome's DevTools subsystem enforces policy controls that govern cross-origin access within the browser's rendering engine. CWE-346 (Origin Validation Error) identifies the root cause: the engine fails to correctly validate the originating context before permitting certain DevTools-mediated actions, allowing cross-origin policy boundaries to be crossed. The affected CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* covers all platform variants of Chrome across Windows, macOS, and Linux prior to the 149.0.7827.115 stable release. Same-origin policy is a foundational browser security primitive; its bypass via DevTools internals is particularly sensitive because DevTools interfaces carry elevated trust within the browser process model.
RemediationAI
The primary fix is upgrading Google Chrome to version 149.0.7827.115 or later via the stable channel update, detailed at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html. Chrome's auto-update mechanism will deliver this patch to most users automatically; enterprise administrators should verify forced update policies are active. As a compensating control pending patch deployment, restricting access to untrusted or unknown web pages (via browser security policy, web proxy filtering, or disabling JavaScript for untrusted zones) would reduce exposure, though this imposes significant usability trade-offs in browser-dependent environments. Disabling or restricting DevTools access via enterprise policy (e.g., DeveloperToolsDisabled=true in Chrome group policy) may reduce the attack surface but cannot be confirmed as a complete mitigation without vendor guidance on the specific DevTools code path involved.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36344
GHSA-7mw2-6273-9cwv