Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Network delivery via crafted page (AV:N); high complexity due to required specific UI gestures (AC:H); no attacker auth needed (PR:N); limited cross-origin data leakage only (C:L), no integrity or availability impact.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Cross-origin data leakage in Google Chrome's DevTools component (versions prior to 150.0.7871.47) permits a remote attacker to exfiltrate data across origin boundaries by tricking a user into performing specific UI gestures on a crafted HTML page. The CVSS base score of 3.1 (Low) reflects high attack complexity and mandatory user interaction, consistent with the EPSS score of 0.21% (11th percentile) indicating negligible in-the-wild exploitation activity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running Google Chrome at any version prior to 150.0.7871.47 on a supported desktop platform. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available risk signals converge on a low-priority classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML page designed to present a deceptive UI element - such as a fake CAPTCHA or drag-and-drop interaction - that, when engaged by the victim using Chrome prior to 150.0.7871.47, triggers an inappropriate DevTools state that leaks cross-origin data (e.g., response content from an authenticated resource on a separate origin the user is logged into). The attacker delivers the page via phishing email or malvertising and collects the exfiltrated data server-side. … |
| Remediation | Update Google Chrome to version 150.0.7871.47 or later - the vendor-released patch resolving this vulnerability - available via the Chrome internal update mechanism (Settings > Help > About Google Chrome triggers an update check) or through enterprise deployment channels such as Google Admin Console or MSI packages for managed environments. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40651
GHSA-f5w7-vpjf-rmjj