CVE Catalog

CVE-2026-13990

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page.

Risk Assessment

The risk involves UI spoofing attacks that could trick users into revealing sensitive information or performing unauthorized actions within the browser.

Recommendation

Immediately update Google Chrome to version 150.0.7871.47 or later on all Windows systems. Also consider implementing measures to limit the impact of renderer process compromise.

Original NVD description (English source)

Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Vulnerability data from NVD (NIST) · CISA KEV · EPSS