Skip to main content

Google Chrome EUVDEUVD-2026-40819

| CVE-2026-14132 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-30 chrome-cve-admin@google.com GHSA-rjp5-8cgw-rxgg
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-delivered via crafted page (AV:N), requires victim navigation (UI:R), no privileges needed (PR:N), impact limited to UI spoofing with no availability effect (C:L/I:L/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 01, 2026 - 18:27 vuln.today
CVSS changed
Jul 01, 2026 - 16:07 NVD
5.4 (MEDIUM)
CVE Published
Jun 30, 2026 - 23:17 nvd
MEDIUM 5.4
CVE Published
Jun 30, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Inappropriate implementation in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

AnalysisAI

UI spoofing in Google Chrome's WebXR component (all versions prior to 150.0.7871.47) allows remote attackers to misrepresent browser interface elements when a victim visits a crafted HTML page. The flaw stems from an inappropriate implementation in the WebXR Device API, enabling manipulation of what the user perceives as trusted UI - potentially obscuring origin indicators, security state, or page identity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts crafted HTML page with WebXR payload
Delivery
Victim lured to malicious URL via phishing or ad
Exploit
Chrome WebXR inappropriate implementation triggered
Execution
Browser UI elements misrepresented to victim
Impact
Victim deceived into disclosing credentials or approving sensitive action

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively navigate to a crafted HTML page in an unpatched Chrome browser (UI:R - mandatory user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 scores this at 5.4 Medium with AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and hosts a crafted HTML page that leverages Chrome's WebXR API to manipulate browser UI elements - for example, overlaying a fake address bar or security indicator that suggests the user is on a trusted origin. The victim is lured to the page via phishing email or malicious advertisement, and the spoofed UI misleads them into entering credentials or approving a sensitive permission they would otherwise decline. …
Remediation Upgrade Google Chrome to version 150.0.7871.47 or later via the Chrome stable channel update documented at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html; this is the vendor-confirmed fix and the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Package Hub 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP7 Affected

Share

EUVD-2026-40819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy