CVE-2026-14141
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A vulnerability in the Document Picture-in-Picture feature in Google Chrome on Android prior to version 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. The issue is due to incorrect security UI.
Risk Assessment
An attacker can display a fake domain to the user in the Picture-in-Picture window, potentially leading to credential theft or other phishing scams.
Recommendation
Update Google Chrome on Android to version 150.0.7871.47 or later immediately.
Original NVD description (English source)
Incorrect security UI in Document Picture-in-Picture in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)

