CVE-2026-13988
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A vulnerability in the Paint component of Google Chrome prior to version 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. The issue stems from an inappropriate implementation in the graphics rendering mechanism.
Risk Assessment
An attacker can trick users by displaying fake dialog boxes or buttons, potentially leading to credential theft or unintended actions.
Recommendation
Update Google Chrome to version 150.0.7871.47 or later immediately. Enable automatic updates for all browser instances across the organization.
Original NVD description (English source)
Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

