MEDIUM 6.1

CVE-2026-11150: Chrome XML UXSS Vulnerability – Patch Guide

Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser processes XML within HTML pages. An attacker can craft a malicious webpage that, when visited, injects arbitrary scripts or HTML content that execute in the context of unrelated sites (a technique known as Universal Cross-Site Scripting or UXSS). This bypasses the same-origin policy that normally prevents one site from accessing data or performing actions on another. The vulnerability requires user interaction—a victim must visit the attacker's page—but does not require any special browser configuration or user privileges to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11150 is a UXSS vulnerability resulting from an inappropriate XML parsing implementation in Chromium's rendering engine. The flaw allows arbitrary script or HTML injection that can execute with privileges from different origins than the attacker's controlled page. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 score of 6.1 (Medium) reflects the network-based attack vector, low attack complexity, no privilege requirement, and required user interaction, balanced against limited scope and impact to confidentiality and integrity but not availability. The Chromium security team assigned it a Medium severity rating.

Business impact

This vulnerability poses a direct threat to user data confidentiality and integrity. An attacker could steal session cookies, credentials, or sensitive information from visited sites, or modify page content to phish users or distribute malware. Organizations whose employees use Chrome as their primary browser face exposure if users can be tricked into visiting attacker-controlled pages. The attack does not disrupt service availability, but the ability to execute arbitrary code cross-origin makes this a meaningful data exfiltration and account compromise vector. Security-conscious organizations should treat this as a priority remediation given the widespread use of Chrome and the relative ease of social engineering victims to a malicious link.

Affected systems

Google Chrome on Windows, macOS, and Linux systems running versions prior to 149.0.7827.53 are affected. The vulnerability exists in the Chromium rendering engine, which is also used by other Chromium-based browsers, though this CVE specifically references Chrome. Windows, macOS, and Linux operating systems themselves are listed as affected platforms, indicating Chrome installations across these OS families carry the risk.

Exploitability

Exploitability is moderate and practical. The attack requires no authentication or special privileges, and the network-based delivery vector means the attacker only needs to convince a user to visit a crafted webpage—via link, advertisement, or social engineering. No user-facing warnings or unusual browser behavior is required; the XML parsing flaw is triggered silently during normal page rendering. The CVSS requirement for user interaction reflects this necessity, but the low attack complexity and ease of weaponization (a simple HTML file with embedded or external JavaScript) mean functional exploits are trivial to develop. As of the published date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been reported, but this does not eliminate the risk.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Automatic updates are the preferred path; most Chrome installations check for updates on startup or periodic intervals. Organizations managing Chrome deployments through group policy (Windows), mobile device management (MDM), or fleet management tools should verify that auto-update policies are enabled and not blocked by firewall or proxy rules. Additionally, organizations should enforce a browser security posture that includes Content Security Policy (CSP) headers on internal applications to provide defense-in-depth against script injection attacks, though this does not mitigate the vulnerability itself.

Patch guidance

Chrome 149.0.7827.53 or later contains the fix. Verify the installed version in Chrome by navigating to chrome://version/ or checking Settings > About Google Chrome, which will also trigger an automatic update check if one is pending. For enterprise deployments, check your MDM or Group Policy distribution mechanism to confirm that the patch has been rolled out to all user devices. If you manage Chrome through a deployment tool, consult the vendor's documentation for patch distribution timelines; Google typically releases updates to stable channel over several hours to days to avoid overwhelming infrastructure. No workarounds are available; patching is the only mitigation.

Detection guidance

Monitor for failed XML parsing exceptions or script execution errors in Chrome logs (chrome://crashes/ and chrome://net-internals/#events for detailed diagnostics). Network-level detection is difficult without decrypting HTTPS traffic, but organizations can monitor for large volumes of traffic to unfamiliar external domains from Chrome processes. Endpoint detection and response (EDR) tools should flag processes spawned by Chrome or unusual Chrome memory access patterns. Consider deploying browser isolation or zero-trust browser technologies to execute untrusted websites in sandboxed containers, preventing payload execution on user machines. User education on phishing and link validation remains a key detection and prevention layer.

Why prioritize this

Prioritize this vulnerability for patching within your standard update cycle (typically within 48–72 hours of release for high-user-count devices). While the CVSS score is Medium and the vulnerability is not yet listed in CISA's KEV catalog, the combination of UXSS capability, low attack complexity, and ubiquitous Chrome adoption means that even a modest number of users visiting a malicious link exposes significant data exfiltration risk. The technical impact—cross-origin script execution—is a foundational attack primitive for credential theft and malware delivery. Organizations should treat this as equivalent to a High-priority patch in practice due to the user-facing risk and ease of social engineering.

Risk score, explained

The CVSS 3.1 score of 6.1 balances a relatively low attack complexity and network-based delivery against the requirement for user interaction and limited impact scope. The vector reflects no privilege requirement, required user interaction (clicking a link or visiting a page), changed scope (cross-origin execution), and partial impact to confidentiality and integrity. The Medium severity reflects that while the vulnerability enables data theft and content manipulation, it does not compromise system availability or grant persistent code execution on the victim's machine. A score of 6.1 does not capture the reputational and business risk of user data compromise, so organizations should contextualize this as a higher business priority than the numerical score suggests.

Frequently asked questions

Is this vulnerability being actively exploited?

No active exploitation has been reported to CISA's Known Exploited Vulnerabilities program as of the modification date (2026-06-17). However, the simplicity of crafting a malicious HTML page means exploitation is likely to begin shortly after public disclosure. Organizations should assume exploitation will occur and prioritize patching accordingly.

Do I need to update Chrome on every device, or only user-facing machines?

Patch all Chrome installations, including on employee workstations, servers running Chromium for automation or testing, and any systems where Chrome accesses the internet. Even if a server or development machine does not interact with untrusted websites, defense-in-depth practices recommend keeping all software versions current. Developer machines are particularly at risk if developers browse the web while logged into internal tools.

Will updating Chrome disrupt user workflows or require a restart?

Chrome typically restarts itself to apply updates; users will see a notification that an update is pending. Most updates do not require a full system reboot. For a smoother experience, users can allow Chrome to update overnight or during non-business hours. Organizations can schedule update deployments during maintenance windows using MDM or Group Policy.

Can I use a Content Security Policy or other browser settings to mitigate this without patching?

No. This is a rendering engine vulnerability that allows the attacker to bypass standard browser security boundaries. While CSP and other security headers are good security hygiene, they do not protect against a flaw in how Chrome parses XML. Patching is the only remediation.

This analysis is provided for informational purposes and reflects information available as of the published date. Threat actors and vulnerability details may evolve; refer to official Google Chrome security bulletins and vendor advisories for the most current guidance. Organizations should verify patch availability and compatibility in their specific environment before deployment. This analysis does not constitute legal, compliance, or professional security advice; consult with your security and legal teams regarding remediation timelines and business continuity requirements. Source: NVD (public-domain), retrieved 2026-07-12. Analysis generated by SEC.co (claude-haiku-4-5).