Skip to main content

Google Chrome EUVDEUVD-2026-40651

| CVE-2026-13963 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-30 chrome-cve-admin@google.com GHSA-f5w7-vpjf-rmjj
3.1
CVSS 3.1 · Vendor: google

Severity by source

Vendor (google) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Network delivery via crafted page (AV:N); high complexity due to required specific UI gestures (AC:H); no attacker auth needed (PR:N); limited cross-origin data leakage only (C:L), no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 01, 2026 - 20:23 vuln.today
CVSS changed
Jul 01, 2026 - 20:22 NVD
3.1 (LOW)
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

AnalysisAI

Cross-origin data leakage in Google Chrome's DevTools component (versions prior to 150.0.7871.47) permits a remote attacker to exfiltrate data across origin boundaries by tricking a user into performing specific UI gestures on a crafted HTML page. The CVSS base score of 3.1 (Low) reflects high attack complexity and mandatory user interaction, consistent with the EPSS score of 0.21% (11th percentile) indicating negligible in-the-wild exploitation activity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts deceptive HTML page
Delivery
Deliver page via phishing or malvertising
Exploit
Victim visits page in unpatched Chrome
Execution
Social engineering prompts specific UI gestures
Persist
DevTools inappropriate implementation triggered
Impact
Cross-origin data leaked to attacker infrastructure

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running Google Chrome at any version prior to 150.0.7871.47 on a supported desktop platform. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available risk signals converge on a low-priority classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML page designed to present a deceptive UI element - such as a fake CAPTCHA or drag-and-drop interaction - that, when engaged by the victim using Chrome prior to 150.0.7871.47, triggers an inappropriate DevTools state that leaks cross-origin data (e.g., response content from an authenticated resource on a separate origin the user is logged into). The attacker delivers the page via phishing email or malvertising and collects the exfiltrated data server-side. …
Remediation Update Google Chrome to version 150.0.7871.47 or later - the vendor-released patch resolving this vulnerability - available via the Chrome internal update mechanism (Settings > Help > About Google Chrome triggers an update check) or through enterprise deployment channels such as Google Admin Console or MSI packages for managed environments. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy