Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SOP bypass crosses origin security scopes (S:C); both C:H and I:H apply as cross-origin data can be read and written via the bypassed policy.
Primary rating from Vendor (Chrome).
CVSS VectorVendor: Chrome
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Same Origin Policy bypass in Google Chrome's V8 JavaScript engine (prior to 150.0.7871.125) allows a remote attacker to cross origin security boundaries via a crafted HTML page, enabling high-impact integrity violations against cross-origin content. Exploitation requires the victim to visit the malicious page (UI:R), limiting automated mass exploitation - a constraint confirmed by SSVC's Automatable:no finding. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open a crafted HTML page in a vulnerable Google Chrome instance (any version prior to 150.0.7871.125); this user interaction (UI:R) is a hard prerequisite and prevents automated mass exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS score of 6.5 (Medium) reflects network delivery (AV:N), low attack complexity (AC:L), no authentication required on the attacker's side (PR:N), mandatory user interaction (UI:R), and an integrity-only base impact (I:H, C:N, A:N) within unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML page containing JavaScript that triggers V8's flawed origin validation logic and hosts it on an attacker-controlled domain. A victim is directed to the page via a phishing link or malvertising redirect, and upon loading it in a vulnerable Chrome instance, the SOP bypass executes - allowing the attacker's script to read cookies, session tokens, or DOM content from a different origin open in the victim's browser. … |
| Remediation | Update Google Chrome to version 150.0.7871.125 or later; this is the vendor-released patch as documented at https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_0353146366.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44482
GHSA-qpx7-r6j6-cqf3