CVE Catalog

CVE-2026-13957

MediumCVSS 4.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

In Google Chrome prior to version 150.0.7871.47, incorrect security UI in Extensions allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

Risk Assessment

The risk involves a Universal XSS attack, which could lead to data theft, session hijacking, or unauthorized actions in the context of other websites.

Recommendation

Immediately update Google Chrome to version 150.0.7871.47 or later, and educate users to install only trusted extensions.

Original NVD description (English source)

Incorrect security UI in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS