CVE-2026-13990
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page.
Risk Assessment
The risk involves UI spoofing attacks that could trick users into revealing sensitive information or performing unauthorized actions within the browser.
Recommendation
Immediately update Google Chrome to version 150.0.7871.47 or later on all Windows systems. Also consider implementing measures to limit the impact of renderer process compromise.
Original NVD description (English source)
Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

