Skip to main content

Google Chrome EUVDEUVD-2026-39046

| CVE-2026-13034 MEDIUM
Origin Validation Error (CWE-346)
2026-06-24 Chrome GHSA-3pfj-fj4c-9hh9
4.7
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
vuln.today AI
3.4 LOW

AC:H reflects the mandatory renderer compromise prerequisite; AV:N and UI:R align with crafted HTML delivery; S:C and C:L capture limited cross-origin data exposure with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:41 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
4.7 (MEDIUM)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
MEDIUM 4.7

DescriptionCVE.org

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker serves crafted HTML page
Delivery
User visits page in Chrome
Exploit
Renderer process compromised via separate exploit
Execution
Abuse Passwords origin validation flaw
Persist
Break site isolation boundary
Impact
Exfiltrate cross-origin credential data

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions to be met simultaneously: the attacker must have already achieved renderer process compromise through a separate, prior vulnerability, AND the victim user must interact with a crafted HTML page (confirming UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 4.7 (Medium) reflects limited confidentiality impact (C:L) and no integrity or availability consequence, but the assigned vector AV:N/AC:L/PR:N/UI:R/S:C warrants scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page that first exploits a separate renderer-level vulnerability to gain control of the Chrome renderer process, then uses this CVE's origin validation flaw in the Passwords subsystem to read cross-origin credential data from a different site. No public proof-of-concept is known, making this scenario most plausible as part of a targeted, chained browser exploit rather than opportunistic mass exploitation.
Remediation Update Google Chrome to version 149.0.7827.197 or later, which is confirmed as the vendor-released patch per the stable channel update advisory at http://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy