CVE-2026-13957
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In Google Chrome prior to version 150.0.7871.47, incorrect security UI in Extensions allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
Risk Assessment
The risk involves a Universal XSS attack, which could lead to data theft, session hijacking, or unauthorized actions in the context of other websites.
Recommendation
Immediately update Google Chrome to version 150.0.7871.47 or later, and educate users to install only trusted extensions.
Original NVD description (English source)
Incorrect security UI in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

