CVE-2026-13021
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
An inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Risk Assessment
An attacker could steal data or perform unauthorized operations in the context of another domain, leading to a breach of user data confidentiality and integrity.
Recommendation
Immediately update Google Chrome to version 149.0.7827.197 or later. Ensure the update is applied on all workstations.
Original NVD description (English source)
Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

