CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Insufficient validation of untrusted input in Blink in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
An uninitialized use vulnerability in codecs within Google Chrome on Windows prior to version 150.0.7871.47 allows a remote attacker to read potentially sensitive information from process memory via a crafted HTML page.
In Google Chrome prior to version 150.0.7871.47, incorrect security UI in Extensions allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
An incorrect security UI in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
Insufficient validation of untrusted input in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file.
Insufficient policy enforcement in XML in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
An inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.
An inappropriate implementation in PerformanceAPIs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Insufficient policy enforcement for USB in Google Chrome prior to 150.0.7871.47 allows a remote attacker who compromised the renderer process to potentially escape the sandbox via a crafted HTML page.
An uninitialized use vulnerability in the GPU component of Google Chrome prior to version 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
Insufficient policy enforcement in Payments in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension.
An uninitialized use vulnerability in the XR component of Google Chrome prior to version 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
An inappropriate implementation in ScriptInjections in Google Chrome on iOS before version 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. The issue has been fixed in the mentioned version.
Insufficient policy enforcement in Extensions in Google Chrome on Linux prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension.
In Google Chrome on Mac prior to version 150.0.7871.47, an inappropriate implementation in the DataTransfer component allowed a remote attacker who convinced a user to perform specific UI gestures to leak cross-origin data via a crafted HTML page.
An uninitialized use vulnerability in CSS in Google Chrome on Android prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from process memory via a crafted HTML page.
Inappropriate implementation in Video Capture in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a crafted HTML page.
In Google Chrome on Android prior to version 150.0.7871.47, an inappropriate implementation in SiteSettings allowed a remote attacker to perform UI spoofing via a crafted HTML page.
An uninitialized use in Cast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via malicious network traffic.

