CVE Catalog

CVE-2026-14141

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A vulnerability in the Document Picture-in-Picture feature in Google Chrome on Android prior to version 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. The issue is due to incorrect security UI.

Risk Assessment

An attacker can display a fake domain to the user in the Picture-in-Picture window, potentially leading to credential theft or other phishing scams.

Recommendation

Update Google Chrome on Android to version 150.0.7871.47 or later immediately.

Original NVD description (English source)

Incorrect security UI in Document Picture-in-Picture in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS