CVE-2026-10928: Script Injection in Google Chrome Headless – CVSS 8.8 High Severity
A script injection vulnerability in Google Chrome's Headless mode allows attackers to execute arbitrary code on a user's system through a malicious HTML page. The flaw requires user interaction—specifically, the victim must open a crafted webpage in an affected Chrome version—but once triggered, an attacker gains the same privileges as the user running the browser, including the ability to read files, modify data, or install malware.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-94
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Script injection in Headless in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10928 is a script injection vulnerability (CWE-94) in the Headless component of Google Chrome versions prior to 149.0.7827.53. The vulnerability stems from improper input validation or sanitization in script handling within Headless mode, enabling remote code execution. The Chromium security team assigned this a High severity rating. The attack surface is network-based with low complexity; exploitation requires user interaction via a specially crafted HTML page but no special privileges or system configuration.
Business impact
Successful exploitation could result in unauthorized code execution within the browser context, potentially leading to data theft, credential harvesting, malware installation, or lateral movement into corporate networks if the affected browser runs with elevated privileges. For enterprises relying on Chrome for web applications or allowing browser-based work, this represents a direct path to endpoint compromise and possible data exfiltration.
Affected systems
Google Chrome on Windows, macOS, and Linux is affected. Any Chrome version prior to 149.0.7827.53 is vulnerable. Organizations deploying Headless Chrome for automation, testing, or server-side rendering should treat this with urgency, as Headless instances often run with minimal user oversight and may process untrusted content.
Exploitability
Exploitability is moderate to high. The attack requires network access and user interaction (opening a malicious HTML page), but the technical barrier is low—an attacker need only craft an HTML page that triggers the script injection. No authentication, special system configuration, or advanced reconnaissance is needed. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog, but the straightforward attack vector and high impact make it an attractive target once public details emerge.
Remediation
Update Google Chrome to version 149.0.7827.53 or later immediately. Verify the update through Settings > About Google Chrome, which will display the current version and auto-check for updates. For enterprise deployments, use Chrome Enterprise policies to enforce automatic updates or managed rollout. Users of Headless Chrome in CI/CD pipelines or automated systems should prioritize patching in test environments first, then production.
Patch guidance
Google Chrome should auto-update to version 149.0.7827.53 or later. Manually verify the patch by navigating to Chrome menu > Help > About Google Chrome; the browser will check for updates and display the installed version. For Linux users installing from distribution repositories, ensure your package manager provides the patched version. Enterprise administrators can confirm patch deployment via Chrome Management console or by querying device policies. Verify against the official Google Chrome release notes to confirm the exact patched version for your platform.
Detection guidance
Monitor Chrome version inventory across endpoints to identify instances running versions below 149.0.7827.53. Use endpoint detection and response (EDR) tools to flag unusual script execution originating from Chrome processes, particularly execution of unsigned binaries or PowerShell/cmd invocations spawned by the browser. Log and alert on abnormal network activity from Chrome (data exfiltration, C2 beaconing). In network monitoring, inspect traffic for delivery of known malicious HTML payloads. For Headless Chrome users, audit logs for unexpected subprocess spawning or file system writes during automation jobs.
Why prioritize this
This vulnerability merits immediate attention due to the combination of high CVSS score (8.8), low exploitation complexity, and the ubiquity of Chrome across endpoints. The requirement for user interaction is offset by the trivial attack surface (a webpage) and the severity of potential impact (arbitrary code execution with user privileges). Organizations should prioritize patching within 24–48 hours, particularly for systems handling sensitive data or internet-facing roles.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects a network-based attack requiring user interaction but offering complete compromise of confidentiality, integrity, and availability within the browser context and user profile. The vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network accessibility, low attack complexity, no privilege requirements, user interaction needed, unchanged scope, and high impact across all three security pillars. This score appropriately reflects the practical risk: attackers need only social engineering to deliver a malicious link, after which the browser is fully compromised.
Frequently asked questions
Will Chrome auto-update to fix this vulnerability?
Yes. Chrome is designed to auto-update in the background. To verify you have the patch, open Chrome menu > Help > About Google Chrome, and the browser will check for updates and show your current version. Restart Chrome if an update is pending. For enterprise users, confirm that update policies are enabled and check the management console for deployment status.
What happens if I visit a malicious HTML page while vulnerable?
If your Chrome version is below 149.0.7827.53 and you visit a specially crafted HTML page hosting the exploit, the attacker can execute arbitrary code with your user privileges. This could enable file theft, credential capture, malware installation, or use of your machine to attack others. Avoid clicking suspicious links and keep Chrome up to date.
Does this affect Chrome on mobile devices?
Google Chrome on Android and iOS may also be affected depending on the Chromium base version and timing of vendor updates. Check your mobile device's app store for Chrome updates and enable auto-update. Refer to Google's official security advisories for platform-specific details.
Is this exploited in the wild or part of active campaigns?
As of the publication date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation has been publicly reported. However, the straightforward attack vector and high impact mean attackers may develop exploits. Patching promptly reduces the window of opportunity.
This analysis is based on publicly available vulnerability data and Chromium security advisories current as of the publication date. Organizations should verify patch availability and version numbers against official Google Chrome release notes and vendor advisories before deploying updates. Security impact may vary based on browser configuration, user privilege level, and network environment. This document does not constitute legal, compliance, or warranty advice. Always test patches in a controlled environment before enterprise-wide deployment. For questions on vendor-specific mitigations or extended support, contact your Chrome account representative or IT vendor directly. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)