MEDIUM 5.4

CVE-2026-11157: Chrome Script Injection in Accessibility (UXSS via Extension)

A script injection vulnerability in Google Chrome's accessibility features allows attackers to inject arbitrary scripts and HTML into web pages if a user installs a malicious extension. The vulnerability, tracked as CVE-2026-11157, requires user interaction (installing an extension) to exploit, making it a social engineering vector rather than a network-based attack. Chrome versions before 149.0.7827.53 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-94
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Script injection in Accessibility in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability exploits a flaw in Chrome's accessibility subsystem that fails to properly sanitize input from extensions, enabling Unrestricted XSS (UXSS) attacks. The root cause is classified under CWE-94 (Code Injection), allowing malicious extensions to execute arbitrary JavaScript in the context of any webpage. The attack surface is limited to users who explicitly install a malicious extension, but once installed, the extension can manipulate the DOM and execute scripts without origin restrictions.

Business impact

Organizations relying on Chrome for sensitive workflows face reduced confidentiality and integrity. An attacker exploiting this vulnerability via a deceptive extension could steal session credentials, modify displayed content, redirect users to phishing pages, or harvest sensitive information from high-value websites. The attack requires social engineering (extension installation), limiting blast radius, but insider threats or supply-chain compromises could weaponize this at scale. Data theft and credential compromise are the primary business risks.

Affected systems

Google Chrome versions prior to 149.0.7827.53 on Windows, macOS, and Linux are vulnerable. The vulnerability is specific to Chrome's extension architecture and accessibility APIs; other Chromium-based browsers may require separate assessment. Non-Chrome browsers are unaffected.

Exploitability

Exploitability is moderate. The attack requires user interaction (convincing a user to install a malicious extension disguised as legitimate), which is a significant barrier. No network-based exploitation or zero-click mechanisms exist. However, once an extension is installed, the vulnerability is trivial to exploit programmatically. Social engineering tactics, fake review manipulation, or supply-chain distribution of trojanized extensions lower the practical barrier for well-resourced threat actors.

Remediation

Update Chrome to version 149.0.7827.53 or later immediately. Verify the update via Settings > About Google Chrome, which triggers automatic installation. Conduct an extension audit: navigate to chrome://extensions/ and remove unrecognized, unused, or suspicious extensions. Review extension permissions, especially those requesting broad host permissions or accessibility access. Educate users on extension installation risks and establish a policy restricting extension installation to trusted sources or disabling extensions organization-wide if feasible.

Patch guidance

Patch availability: Chrome 149.0.7827.53 addresses this vulnerability. Deployment strategy: Chrome auto-updates by default on most platforms, but verify completion by checking Settings > About Google Chrome. For managed deployments, use Google Admin console policies to enforce updates across devices. Users should not delay patching, as the fix is straightforward and carries no known compatibility risks. Test in non-production environments first if your organization runs highly customized Chrome configurations.

Detection guidance

Monitor for suspicious extension installations using endpoint detection tools or Chrome device management logs. Search for extensions with recent installation dates, especially those from unknown publishers or with unusual permission requests. Audit chrome://extensions/ for extensions requesting 'Execute scripts on all websites' or 'Modify data on all websites' permissions in combination with accessibility permissions. Log and alert on failed extension verification attempts. Network signatures are not applicable since this is client-side; focus on behavioral indicators such as DOM manipulation anomalies or unexpected script execution in browser developer tools.

Why prioritize this

Although the CVSS score is 5.4 (Medium), prioritize this vulnerability because: (1) Chrome's ubiquity in enterprise environments means broad exposure; (2) extension-based attacks are increasingly common in real-world campaigns; (3) the attack chain (install malicious extension) is reproducible by non-experts via social engineering; (4) the impact (UXSS) is high—attackers gain unrestricted script execution on any website. Organizations with high user awareness and strict extension policies face lower risk but should still patch promptly.

Risk score, explained

CVSS 5.4 reflects the vulnerability's reliance on user interaction (UI:R reduces the base score significantly) and limited scope (single-user compromise, no lateral movement). However, the CVSS vector understates organizational risk because it does not account for prevalence of Chrome in enterprises, likelihood of successful social engineering, or downstream impact of credential theft via UXSS. For most security teams, a risk score of 6–7 (Medium-High) is more appropriate after adjusting for organizational context.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. The attacker must convince the user to install a malicious extension. There is no network-based or zero-click exploitation path. This significantly limits the attack surface but makes social engineering campaigns viable.

Do I need to remove all extensions to be safe?

No. Only extensions from untrusted sources are a risk. If your organization curates an approved list of extensions and restricts installation to those via policy, you can reduce risk substantially. Regularly audit installed extensions and remove those no longer in use.

Does this affect Chromebook devices differently?

Chromebooks running Chrome OS are affected by the same vulnerability if they run the vulnerable Chrome version. Patch priority and detection strategies are identical. Managed Chromebooks are easier to update at scale via Google Admin console.

What permissions should I restrict on extensions?

At minimum, restrict extensions from requesting broad host permissions (e.g., 'access all websites') unless business-critical. Accessibility-related permissions (chrome.accessibilityFeatures) should be granted only to reputable accessibility tools. Use Chrome's permission prompt system to require user approval for sensitive access.

This analysis is based on the CVE description, CVSS vector, and vendor product information available as of the publication date. It does not constitute professional security advice. Organizations should verify patch availability and compatibility with their specific Chrome versions and configurations. Exploit code is not disclosed in this document to prevent weaponization. For the authoritative patch details, consult the Chrome Security Release page and Google's official advisory. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).