Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered UXSS requiring one user interaction (UI:R); S:C reflects cross-origin script execution; C:L/I:L captures partial cross-origin data access; no availability impact applies.
Primary rating from Vendor (google).
CVSS VectorVendor: google
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Universal Cross-Site Scripting (UXSS) in Google Chrome's Forms implementation prior to version 150.0.7871.115 permits remote, unauthenticated attackers to inject arbitrary scripts or HTML across any browser origin by luring a victim to a crafted HTML page. The Scope:Changed metric in the CVSS vector reflects the defining characteristic of UXSS: unlike conventional XSS, the injected script executes outside the attacker-controlled page's origin, effectively bypassing the Same-Origin Policy and threatening any concurrent browser session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively visit a crafted HTML page using a vulnerable version of Google Chrome prior to 150.0.7871.115 (confirmed by UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 6.1 Medium CVSS score somewhat understates the real-world concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML page containing specially constructed form elements that trigger the Forms implementation flaw in vulnerable Chrome versions. When a victim browses to this page - via a phishing link, malicious advertisement, or compromised site - the UXSS payload fires and executes JavaScript in the context of other origins already loaded in the browser, potentially harvesting session tokens, performing authenticated actions on corporate or banking portals, or silently redirecting the victim. … |
| Remediation | The primary fix is to upgrade Google Chrome to version 150.0.7871.115 or later, the vendor-released patch confirmed by the Chrome stable channel advisory at http://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42457
GHSA-c8mv-ch2p-4gwv