Skip to main content

Google Chrome EUVDEUVD-2026-44475

| CVE-2026-15768 MEDIUM
Origin Validation Error (CWE-346)
2026-07-14 Chrome GHSA-5cvc-pm9v-pw7p
6.5
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-delivered via crafted page with mandatory victim interaction (UI:R); integrity-only impact from SOP bypass with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 18:30 vuln.today
CVSS changed
Jul 15, 2026 - 16:22 NVD
6.5 (MEDIUM)
Patch available
Jul 14, 2026 - 23:20 EUVD
CVE Published
Jul 14, 2026 - 20:09 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 14, 2026 - 20:09 cve.org
MEDIUM 6.5

DescriptionCVE.org

Insufficient policy enforcement in HTML-in-Canvas in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Same-origin policy bypass in Google Chrome prior to 150.0.7871.125 enables remote attackers to manipulate cross-origin content integrity through the browser's HTML-in-Canvas rendering subsystem. Exploitation requires a victim to visit a crafted HTML page, making this a socially-engineered attack rather than a fully autonomous one. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host crafted HTML page
Delivery
Lure victim to visit page
Exploit
Trigger HTML-in-Canvas rendering
Execution
Bypass same-origin policy enforcement
Impact
Manipulate cross-origin content integrity

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user actively navigates to or loads a crafted HTML page under attacker control - this is mandated by the UI:R metric in the CVSS vector and is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is driven by AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a malicious webpage that embeds a crafted HTML-in-Canvas construct designed to trigger the policy enforcement gap. A victim is lured to visit this page - via phishing email, malicious advertisement, or compromised site - whereupon Chrome processes the canvas content and the attacker's script bypasses the same-origin policy to manipulate or exfiltrate rendered cross-origin data. …
Remediation Update Google Chrome to version 150.0.7871.125 or later via the browser's built-in update mechanism (Settings > Help > About Google Chrome) or by deploying the update through enterprise management tooling. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy