Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Google
  • Android
  • Chrome

Configuration 1 [-]

AND
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

No data.

References
Link Providers
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html cve-icon cve-icon
https://issues.chromium.org/issues/497865734 cve-icon cve-icon
History

Fri, 05 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Google android
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google android

Fri, 05 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Insufficient Policy Enforcement in Chrome CustomTabs Leading to Cross-Origin Data Leakage

Fri, 05 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Chrome CustomTabs Android Cross‑Origin Data Leakage Before 149.0.7827.53
Weaknesses CWE-200

Fri, 05 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Chrome CustomTabs Android Cross‑Origin Data Leakage Before 149.0.7827.53
First Time appeared Google
Google chrome
Weaknesses CWE-200
Vendors & Products Google
Google chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
References
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-06-04T23:06:00.350Z

Updated: 2026-06-05T12:40:47.417Z

Reserved: 2026-06-04T17:11:03.303Z

Link: CVE-2026-11247

cve-icon Vulnrichment

Updated: 2026-06-05T12:40:34.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:01.130

Modified: 2026-06-05T20:40:23.357

Link: CVE-2026-11247

cve-icon Redhat

No data.