Skip to main content

Information Disclosure

other MEDIUM

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.

How It Works

Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.

Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.

The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.

Impact

  • Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
  • Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
  • Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
  • Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
  • Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures

Real-World Examples

A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.

Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.

Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.

Mitigation

  • Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
  • Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
  • Access control audits: Restrict or remove development artifacts (.git, backup files, phpinfo()) and internal endpoints before deployment
  • Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
  • Security headers: Deploy X-Content-Type-Options, remove server version banners, and disable directory indexing
  • Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity

Recent CVEs (66661)

EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome for Windows (prior to 150.0.7871.47) is enabled by insufficient input validation in the DataTransfer subsystem when the renderer process has already been compromised. A remote attacker who controls a compromised renderer can deliver a crafted HTML page that manipulates visual UI elements, potentially deceiving users into approving malicious permissions, revealing credentials, or performing unintended actions. No active exploitation has been confirmed (not in CISA KEV), and EPSS of 0.17% at the 7th percentile reflects minimal observed exploitation probability; however, exploitation as a second-stage payload in a renderer RCE chain remains a realistic concern for high-value targets.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's PageInfo component affects all desktop versions prior to 150.0.7871.47, enabling an attacker who has already compromised the renderer process to present deceptive browser security indicators to the user via a crafted HTML page. The vulnerability stems from an inappropriate implementation in the PageInfo subsystem (CWE-451), which controls the trusted security panel users consult to assess site authenticity. No active exploitation is confirmed - EPSS is 0.17% (7th percentile), SSVC rates exploitation as none, and this CVE is absent from the CISA KEV catalog - but the integrity impact is high where the attack chain is achievable.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect security UI in Mobile in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Media UI component on ChromeOS allows a remote attacker to manipulate what a user sees by delivering a crafted HTML page and social-engineering the victim into performing specific in-browser UI gestures. Affected versions are all Chrome on ChromeOS prior to 150.0.7871.47. While classified Medium severity (CVSS 4.2), the practical risk is constrained by the requirement for active user interaction and the ChromeOS-only scope; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing via MediaCapture in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to misrepresent browser UI through a crafted HTML page, potentially deceiving users into granting permissions or trusting malicious content. This is a chained exploitation technique - it requires a prior renderer compromise as a prerequisite - making it a post-exploitation integrity threat rather than an initial access vector. EPSS is 0.21% (11th percentile), no public exploit or CISA KEV listing exists at time of analysis, and Google has patched this in the stable channel update.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's TabStrip component, fixed in version 150.0.7871.47, enables remote attackers to misrepresent browser security indicators through specially crafted HTML pages. The incorrect security UI rendering in the tab strip allows an attacker to deceive users about the true origin or security state of a webpage, creating phishing-enablement risk. No public exploit code and an EPSS of 0.17% (7th percentile) indicate low exploitation likelihood at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to display falsified URL content to a victim user via a crafted HTML page. Exploitation requires convincing the target to perform specific UI gestures while visiting the malicious page, making this a phishing-enabler rather than a direct code-execution primitive. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; Google has released a fix in the 150.0.7871.47 stable channel update.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

UI spoofing in Google Chrome's Passwords component (versions prior to 150.0.7871.47) allows an attacker who has already achieved renderer process compromise to manipulate security-critical password UI elements via a crafted HTML page. This is a chained exploitation scenario - not a standalone initial-access vector - as the attacker must first compromise the renderer through a separate vulnerability before leveraging this flaw. EPSS at 0.21% (11th percentile) and no CISA KEV listing confirm no observed exploitation at scale; Chromium's internal classification is Medium severity.

Information Disclosure Google
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables a remote attacker to misrepresent page identity or security state through a specially crafted HTML page, exploiting an inappropriate implementation classified under CWE-451. The vulnerability affects only the iOS-specific Chrome codebase - not Chrome on other platforms - and requires user interaction (visiting an attacker-controlled page). No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; it is not listed in the CISA KEV catalog.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in ANGLE, Chrome's cross-platform graphics abstraction engine, enables sensitive process memory disclosure on macOS for attackers who have already compromised the renderer process. Affected versions are Google Chrome prior to 150.0.7871.47 on Mac; Windows and Linux are not listed as affected. This flaw is a second-stage technique in a multi-vulnerability chain - not a standalone entry point - and no public exploit code or CISA KEV listing has been identified, placing real-world exploitation risk substantially below what the C:H confidentiality impact alone might imply.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome prior to 150.0.7871.47 allows a remote attacker to visually deceive users by misrepresenting browser UI elements through a crafted HTML page that requires the victim to perform specific interaction gestures. The flaw originates in an inappropriate implementation within Chrome's UI layer (CWE-451), enabling misrepresentation of critical information that could mislead users into unintended actions or false security assumptions. No public exploit code has been identified and the vulnerability is absent from CISA KEV; Google has released a fix in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Paint component prior to version 150.0.7871.47 allows a remote, unauthenticated attacker to misrepresent critical interface elements by delivering a crafted HTML page to a victim. The root cause is an inappropriate implementation in the Paint rendering subsystem (CWE-451), enabling visual deception that could facilitate phishing or credential theft. No public exploit code has been identified and CISA SSVC rates exploitation as none, placing real-world risk well below what the network-reachable attack vector might imply.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized memory read in Skia, Chrome's 2D graphics library, exposes process memory contents to an attacker who has already compromised the renderer process by delivering a crafted HTML page. Affected are all Chrome desktop installations prior to 150.0.7871.47; the confidentiality impact is scoped to renderer process memory, which may contain session tokens, DOM content, or cached credentials. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS Medium score of 5.3 reflects the high attack complexity imposed by the renderer pre-compromise prerequisite.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized memory exposure in Google Chrome's Media component allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. Affected versions are all Chrome releases prior to 150.0.7871.47, across desktop platforms. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; exploitation requires a chained renderer compromise, significantly constraining real-world risk despite the high confidentiality impact rating.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized memory exposure in the UI layer of Google Chrome on Android (prior to 150.0.7871.47) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability is CWE-457 (use of uninitialized variable) and is scoped to the Android platform only. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch has been released.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in History in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Process memory disclosure in Google Chrome DevTools on Windows (versions prior to 150.0.7871.47) allows a remote attacker to read potentially sensitive data from browser process memory by serving a crafted HTML page and convincing a user to perform specific UI gestures. The flaw stems from insufficient input validation (CWE-20) within the DevTools subsystem and is limited to the Windows platform. No public exploit code or CISA KEV listing has been identified at time of analysis, but the confidentiality impact is rated High by NVD.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in the codec subsystem of Google Chrome on Windows exposes potentially sensitive process memory contents to remote attackers via a crafted HTML page. All Chrome for Windows releases prior to 150.0.7871.47 are affected; the flaw is platform-specific and does not affect Chrome on Linux, macOS, or mobile. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, though the CVSS C:H rating reflects meaningful confidentiality risk, and the uninitialized read could serve as a precursor step toward ASLR bypass in a chained attack.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's PageInfo component (all versions prior to 150.0.7871.47) enables remote attackers to misrepresent the browser's security indicators through a crafted HTML page that induces specific user UI gestures. The flaw (CWE-451) causes the PageInfo panel - the panel users consult to evaluate site trustworthiness - to render incorrect security UI, potentially deceiving victims into trusting malicious or unverified origins. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; exploitation requires high attack complexity and deliberate user interaction, keeping real-world risk moderate despite the ubiquitous deployment footprint of Chrome.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

UI spoofing in Google Chrome's CustomTabs component on Android enables a local attacker to manipulate what a victim sees within an in-app browser session by supplying a malicious file, affecting all Chrome for Android versions prior to 150.0.7871.47. The CVSS score of 3.3 (Low) and EPSS of 0.13% (3rd percentile) reflect constrained real-world impact: exploitation is local, requires user interaction, and produces only integrity-level spoofing. No active exploitation has been confirmed - this vulnerability is not listed in CISA KEV, and SSVC assessment indicates exploitation status of none.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the renderer sandbox by abusing insufficient policy enforcement in the browser's USB (WebUSB) handling, delivered through a crafted HTML page. The flaw is rated Medium by Chromium but carries a high CVSS (8.3) due to the scope change from renderer to browser process; EPSS is low (0.21%, 11th percentile) and there is no public exploit identified at time of analysis. A vendor patch is available in the June 2026 Stable channel update.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to read sensitive data from GPU process memory by delivering a crafted HTML page. This is a second-stage information disclosure primitive - exploitation is contingent on a prior renderer compromise, making it a component of a multi-vulnerability attack chain rather than a standalone critical issue. No public exploit code or CISA KEV listing has been identified at time of analysis; Google has released a patched stable channel build (150.0.7871.47).

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)

Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized memory read in Google Chrome's XR (Extended Reality/WebXR) subsystem exposes process memory to a remote attacker who has already achieved renderer process compromise. Affected versions are all Chrome releases prior to 150.0.7871.47. This is a second-stage, chained vulnerability - an attacker leverages a crafted HTML page to trigger the uninitialized read and extract sensitive data from process memory, but only after separately exploiting a renderer process escape. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in Extensions in Google Chrome on Linux prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)

Information Disclosure Google
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in Chrome's CSS engine on Android exposes potentially sensitive process memory contents to remote attackers via a crafted HTML page. Unauthenticated remote attackers can trigger this information leak against any Android Chrome user who visits attacker-controlled content (CVSS PR:N, UI:R), with high confidentiality impact per the CVSS vector. Notably, Chromium's internal severity rating is Medium despite the C:H CVSS impact, suggesting reliable extraction of useful sensitive data may be inconsistent in practice; no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

UI spoofing in Google Chrome's Video Capture component on ChromeOS allows a local attacker to deceive users by rendering misleading interface elements through a specially crafted HTML page. Versions prior to 150.0.7871.47 on ChromeOS are affected. No public exploit code exists and no active exploitation is confirmed - EPSS is 0.13% (3rd percentile) and SSVC rates exploitation as none - making this a low operational priority despite the low-complexity attack conditions.

Information Disclosure Google
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Inappropriate implementation in SiteSettings in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory exposure in Google Chrome's Cast component prior to 150.0.7871.47 allows an unauthenticated attacker on the same local network segment to leak sensitive contents from the browser's process memory via malicious Cast protocol traffic. The root cause is CWE-457 (Use of Uninitialized Variable): memory allocated for Cast operations is not zeroed before use, allowing residual in-memory data - potentially including credentials, session tokens, or cached page content - to be disclosed in responses to crafted network input. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; Google has released a patched build.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

UI spoofing in Google Chrome's WebShare implementation on Android allows a remote attacker who has already compromised the renderer process to deceive users via a malicious HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. The exploitation path is severely constrained by the requirement for a pre-existing renderer compromise, yielding a CVSS base score of only 3.1 (Low); no public exploit code exists and SSVC assessment confirms no active exploitation at time of analysis.

Information Disclosure Google
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel information leakage in ComputePressure in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome on Android prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from process memory by luring a user to a crafted HTML page. The flaw (CWE-457) is confined to the Android GPU code path and requires only user interaction to trigger, with CVSS confirming unauthenticated network delivery and High confidentiality impact. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel cross-origin data leakage in Google Chrome's Paint rendering component (all versions prior to 150.0.7871.47) allows remote attackers to infer sensitive content belonging to other origins by enticing a victim to visit a crafted HTML page. The vulnerability exploits a weakness in the Paint subsystem's rendering pipeline (CWE-1300: Improper Protection of Physical Side Channels), enabling an attacker page to observe rendering state or timing variations and reconstruct protected cross-origin data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; EPSS probability is low at 0.21% (11th percentile). Vendor-released patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page that abuses insufficient input validation in the Media component. Google rates the Chromium security severity as Medium and a fix is shipped in the stable channel, but no public exploit has been identified and EPSS exploitation probability is low at 0.21%. The high 9.6 CVSS reflects the total system compromise possible once chained, not standalone exploitability.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 allows a remote attacker to misrepresent browser interface elements - such as the address bar or origin indicators - by serving a crafted HTML page, potentially deceiving users into trusting malicious content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) confirms network-reachable exploitation with no privilege requirement but mandatory user interaction, limiting impact to partial integrity loss with no confidentiality or availability effect. No public exploit or active exploitation has been identified; an EPSS score of 0.21% at the 11th percentile indicates very low current exploitation probability, and this vulnerability does not appear in the CISA KEV catalog.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Autofill subsystem on iOS (versions prior to 150.0.7871.47) enables remote attackers to read sensitive data across origin boundaries by luring victims into performing specific UI gestures on a crafted page. Rooted in CWE-346 (Origin Validation Error), the Autofill policy enforcement layer fails to maintain proper origin isolation under targeted interaction conditions. With an EPSS of 0.21% (11th percentile) and no CISA KEV listing, no public exploit identified at time of analysis, though the CVSS-rated High confidentiality impact warrants prompt patching given Chrome's broad iOS deployment footprint.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Safe Browsing component on iOS enables remote attackers to mislead users through a crafted HTML page, potentially causing them to dismiss or misinterpret security warnings. Only Chrome for iOS versions prior to 150.0.7871.47 are affected; the desktop channel is not impacted by this specific flaw. No public exploit code exists and exploitation probability is very low (EPSS 0.21%, 11th percentile), though the network-accessible, zero-authentication attack surface keeps it relevant where phishing-style delivery is feasible.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Insufficient policy enforcement in the Spellcheck component of Google Chrome prior to 150.0.7871.47 exposes process memory to attackers who have already achieved renderer process compromise. The vulnerability enables a second-stage information disclosure step in a chained attack: after compromising the renderer, the attacker serves a crafted HTML page that exploits the Spellcheck policy gap to read potentially sensitive data from memory. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; Google has released a fix in the stable channel update.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in the WebXR implementation of Google Chrome on Android (versions prior to 150.0.7871.47) allows remote unauthenticated attackers to exfiltrate sensitive cross-origin information by enticing a victim to visit a crafted HTML page. The flaw is rooted in CWE-693 (Protection Mechanism Failure), where WebXR fails to enforce cross-origin isolation policies on Android specifically. No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome DevTools before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, stemming from insufficient policy enforcement (CWE-693). NVD scores this 9.6 with a scope-change vector, though Google rates the Chromium severity only Medium and it is a second-stage bug requiring prior renderer compromise. No public exploit has been identified at time of analysis and EPSS is low (0.21%), consistent with a chained rather than standalone threat.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's iOSWeb component on iOS allows remote attackers to misrepresent interface elements to users running versions prior to 150.0.7871.47. The vulnerability, rooted in an inappropriate implementation (CWE-451), is triggered when a user performs specific UI gestures on a crafted HTML page, enabling spoofing of security-critical browser interface elements such as the address bar or permission dialogs. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the high attack complexity and mandatory user interaction meaningfully constrain real-world risk.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Google Chrome's Codecs component (prior to 150.0.7871.47) enables remote attackers to leak sensitive data from renderer process memory by delivering a crafted HTML page. The CVSS C:H rating reflects meaningful exposure of in-process data such as session tokens or credentials, though Chromium's own team assessed this as Medium severity, and the sandbox boundary (S:U) limits blast radius to the renderer. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Race condition exploitation in Google Chrome for iOS (prior to 150.0.7871.47) exposes potentially sensitive data from process memory to a local attacker with physical device access. The flaw is rooted in improper synchronization (CWE-362) and requires high attack complexity to successfully win the timing window. No public exploit has been identified and the vulnerability is not listed in CISA KEV; the vendor has released a patching fix in the 150.0.7871.47 stable channel update.

Information Disclosure Apple Race Condition +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome for iOS prior to version 150.0.7871.47 enables remote attackers to misrepresent browser interface elements - such as address bars or security indicators - by delivering a crafted HTML page to a victim on an iOS device. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw exploits an inappropriate implementation specific to Chrome's iOS code path, which differs from desktop Chrome due to WKWebView constraints imposed by Apple. No public exploit code exists, CISA SSVC rates exploitation as none, and EPSS sits at the 12th percentile, indicating minimal real-world threat at time of analysis.

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who already controls a compromised renderer process break out of the browser sandbox through insufficient policy enforcement in the Web Serial API, using a crafted HTML page. Google rated the underlying Chromium bug Medium severity even though NVD assigns a 9.6 CVSS due to the scope-changing impact. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.22%, 12th percentile).

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing via Chrome's Autofill component affects all desktop installations prior to version 150.0.7871.47, enabling a remote attacker to misrepresent interface elements through a crafted HTML page. Exploitation requires both navigating to an attacker-controlled page and performing specific UI gestures, reflected in CVSS AC:H and UI:R - passive browsing is insufficient. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.2 Medium score reflects limited integrity and availability impact with no confidentiality loss.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's WebUI component (versions prior to 150.0.7871.47) enables remote attackers to leak sensitive data across origin boundaries by delivering crafted malicious network traffic to an unpatched browser. The flaw arises from insufficient input validation (CWE-20) within the WebUI layer, undermining same-origin policy protections and exposing data from isolated origins to attacker-controlled contexts. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.20% (10th percentile), and no public POC has been identified; a vendor-released patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for iOS prior to 150.0.7871.47 exposes sensitive information from other origins when a remote attacker convinces a victim to perform specific UI gestures on a crafted HTML page. The flaw stems from an inappropriate implementation in the iOS-specific Chrome browser layer, classified under CWE-451 (UI Misrepresentation), and enables confidentiality compromise without requiring attacker privileges. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (12th percentile) signals low near-term automated exploitation risk.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in the Chromecast component of Google Chrome prior to 150.0.7871.47 enables a remote attacker, who has already achieved renderer process compromise, to exfiltrate potentially sensitive data from process memory via a crafted HTML page. This is a second-stage, chained vulnerability - it cannot be exploited in isolation and requires a prior renderer compromise as a prerequisite. Google has released a patch in Chrome 150.0.7871.47; no public exploit code or CISA KEV listing has been identified at time of analysis.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel information leakage in WebAuthentication within Google Chrome on iOS (versions prior to 150.0.7871.47) enables a remote attacker to infer cross-origin data by directing a victim to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms network-exploitable impact with high confidentiality loss, constrained by mandatory user interaction and scoped exclusively to the iOS platform. No public exploit identified at time of analysis; EPSS at 0.25% (16th percentile) signals low near-term exploitation probability, and no CISA KEV listing is present.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's NFC implementation on Android exposes sensitive information to attackers who have already compromised the renderer process. Chrome versions prior to 150.0.7871.47 on Android fail to properly validate origins when handling NFC interactions, allowing a renderer-level attacker to read data across origin boundaries via a crafted HTML page. No public exploit or CISA KEV listing exists at time of analysis, and EPSS sits at the 11th percentile, indicating low observed exploitation probability despite the theoretical confidentiality impact.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Type Confusion in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Information Disclosure Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Race in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Race Condition +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Process memory disclosure in Google Chrome's ANGLE graphics abstraction layer (versions prior to 150.0.7871.47) enables a renderer-compromised attacker to read potentially sensitive data from process memory via a crafted HTML page. This is a post-exploitation, second-stage vulnerability: it cannot be triggered without a prior renderer process compromise, functioning as a chaining component rather than a standalone entry point. No public exploit code or CISA KEV listing has been identified at time of analysis; Chromium's own team rates it Medium severity, consistent with the prerequisite attack complexity.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's GPU component on Windows enables a remote attacker - who has already established renderer process compromise - to extract sensitive data from process memory via a crafted HTML page. Affected versions are all Chrome for Windows releases prior to 150.0.7871.47. This is a second-stage exploit component: it does not independently achieve remote code execution but can be chained with a renderer exploit to leak process memory contents, potentially exposing credentials, tokens, or other in-memory sensitive data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Race condition in the DataTransfer API in Google Chrome prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from renderer process memory by luring a user to a specially crafted HTML page. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms the impact is limited to confidentiality - no integrity or availability loss - and that reliable exploitation requires winning a timing race (AC:H) combined with user interaction. No public exploit identified at time of analysis; Google has shipped a patch in the stable channel update dated June 2026.

Information Disclosure Race Condition Google +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 150.0.7871.47 lets a local attacker break out of the renderer/browser sandbox by feeding a malicious file into the WebAppInstalls component, which insufficiently validates untrusted input (CWE-20). Chromium rates the security severity as Medium, and no public exploit has been identified at time of analysis; EPSS estimates only a 0.13% (3rd percentile) chance of exploitation in the next 30 days. A vendor patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing via Chrome's Geolocation implementation (versions prior to 150.0.7871.47) allows a remote, unauthenticated attacker to deceive users about the origin or context of geolocation permission requests through a crafted HTML page. Exploitation requires user interaction with the malicious page, limiting automated attack potential. With EPSS at 0.21% (11th percentile), no CISA KEV listing, and no public exploit identified, real-world exploitation risk is low despite the broad deployment footprint of Chrome.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome Enterprise prior to version 150.0.7871.47 allows unauthenticated remote attackers to deceive users into believing they are interacting with legitimate browser UI by serving a crafted HTML page. The root cause is insufficient validation of untrusted HTML input within Chrome's Enterprise component (CWE-20), enabling an attacker to manipulate visual elements such as address bars, dialog prompts, or permission requests. No public exploit has been identified at time of analysis and EPSS sits at 0.21% (11th percentile), indicating low current exploitation probability despite a network-accessible attack vector.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys) in Google Chrome on iOS prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. No public exploit or CISA KEV listing has been confirmed; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Chrome's bundled FFmpeg video decoding component (all versions prior to 150.0.7871.47) allows a remote attacker to leak renderer process memory contents via a crafted video file. The CVSS vector confirms network reachability with no required privileges (PR:N) but mandates user interaction (UI:R), meaning the victim must process the malicious video. SSVC assessment rates exploitation as none and the attack non-automatable, and no public exploit has been identified at time of analysis; Google has released a patched build at 150.0.7871.47.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing via crafted HTML in Google Chrome's Geometry component (versions prior to 150.0.7871.47) enables remote attackers to misrepresent security-critical interface elements to users who are socially engineered into performing specific UI gestures. The flaw stems from an inappropriate implementation in Chrome's Geometry subsystem (CWE-451), affecting the integrity and availability of the browser interface at low impact levels. No public exploit or active exploitation has been identified; Google has released a confirmed patch in version 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Omnibox spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables remote unauthenticated attackers to display a falsified URL in the browser address bar by delivering a crafted HTML page to an iOS user. The flaw is classified CWE-451 (UI misrepresentation of critical information) and is iOS-platform-specific, with no impact on Chrome for Android, Windows, macOS, or Linux. No active exploitation is confirmed - the vulnerability is not listed in CISA KEV and EPSS sits at 0.22% (12th percentile) - but the spoofing primitive is a classic enabler of targeted phishing campaigns against mobile users.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Canvas component prior to version 150.0.7871.47 exposes sensitive cross-origin content to remote attackers via a crafted HTML page. The flaw bypasses Same-Origin Policy protections enforced at the Canvas API layer, enabling pixel-level or structured data extraction from cross-origin resources rendered in a canvas context. With CVSS 6.5, EPSS at 0.21% (11th percentile), and no CISA KEV listing or public exploit identified at time of analysis, real-world exploitation is low-probability but credible given the zero-privilege, network-accessible attack path requiring only a single user visit.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome before 150.0.7871.47 allows remote unauthenticated attackers to visually deceive users by serving a crafted HTML page that exploits a flaw in Chrome's CSS implementation. The flaw (CWE-451: UI Misrepresentation of Critical Information) enables attacker-controlled content to obscure or mimic trusted browser UI elements such as the address bar or security indicators, creating a credible phishing surface. No public exploit has been identified at time of analysis, and the EPSS score of 0.22% (12th percentile) indicates minimal observed exploitation activity; however, Google's internal Chromium severity rating of 'High' reflects the significant phishing and credential-theft potential inherent in convincing browser UI spoofing.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics library on macOS allows a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. Affected are all Chrome versions on Mac prior to 150.0.7871.47. The flaw stems from uninitialized memory use within ANGLE, Chrome's graphics abstraction layer, enabling residual memory contents from other security origins to be read and potentially returned to an attacker-controlled page. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.23% (13th percentile), consistent with a high-CVSS flaw constrained by both user-interaction and platform requirements.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage via Chrome's Autofill implementation on Android allows a remote attacker with prior renderer process compromise to extract sensitive data across origin boundaries using a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. No public exploit code has been identified and the EPSS score of 0.21% (11th percentile) reflects low observed exploitation activity; however, the cross-origin data exposure (CWE-346) combined with Autofill access creates meaningful privacy risk for users on vulnerable Android builds. Google has released a patch in the stable channel update.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out of bounds read in ANGLE in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 150.0.7871.47 stems from insufficient input validation in the Glic component, allowing a remote attacker who lures a victim to a crafted HTML page to potentially break out of the renderer sandbox. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page); there is no public exploit identified at time of analysis and EPSS estimates only a 0.21% exploitation probability. A vendor patch is available and the issue is not listed in CISA KEV.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for Android prior to 150.0.7871.47 enables remote attackers to read data from other origins via a crafted HTML page exploiting insufficient validation in the File Input component. The flaw is Android-platform-specific, requiring only that a victim user navigate to an attacker-controlled page. No active exploitation has been confirmed (CISA KEV negative, SSVC exploitation: none), and EPSS at 0.21% (11th percentile) reflects low current exploitation interest, though the unauthenticated, low-complexity attack vector keeps it a relevant patching priority for Android Chrome deployments.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome for iOS prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to broader access on the device. The flaw stems from insufficient policy enforcement (CWE-20) and carries a High Chromium severity rating with a CVSS 8.3 (scope-changed) score. There is no public exploit identified at time of analysis and it is not in CISA KEV; EPSS probability is low at 0.21% (11th percentile).

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome for Linux (prior to 150.0.7871.47) allows a remote attacker to read sensitive contents from the browser's process memory by directing a user to a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's input handling subsystem, and is platform-specific - only Linux builds are affected. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the network-reachable, zero-authentication attack path and high confidentiality impact make patching a near-term priority for Linux desktop environments.

Google Information Disclosure Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.

Information Disclosure Apple Google +1
NVD VulDB
Prev Page 14 of 741 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
66661

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy