CVE-2026-11166: Chrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
Google Chrome versions before 149.0.7827.53 contain a flaw in how it processes SVG (Scalable Vector Graphics) content that allows attackers to inject malicious scripts or HTML into web pages. An attacker would craft a specially designed HTML page and trick a user into visiting it; if the user does, arbitrary code could execute within the browser with the user's privileges, potentially stealing data, modifying page content, or performing actions on the user's behalf. The vulnerability requires user interaction and is rated Medium severity by Google's security team.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from an inappropriate implementation of SVG parsing and handling in Chrome's rendering engine. SVG files are XML-based graphics that can embed scripts, and the security boundary between SVG content and the hosting page was not properly enforced. This allows an attacker to craft a malicious HTML document containing specially formatted SVG that bypasses Chrome's same-origin policy restrictions, enabling unrestricted script execution in the context of arbitrary web origins—a condition known as Universal Cross-Site Scripting (UXSS). The attack vector is network-based, requires user interaction (visiting a malicious page), and does not require special privileges. The flaw affects Chrome's core rendering path and would be triggered during normal browsing.
Business impact
This vulnerability poses a data exfiltration and account compromise risk. Affected users who visit attacker-controlled or compromised websites could have session tokens, authentication credentials, or sensitive page data stolen without their knowledge. The Medium severity rating and user-interaction requirement limit widespread automated exploitation, but targeted campaigns against high-value users (executives, developers, finance teams) could be effective. Organizations reliant on Chrome for internal applications or cloud services should treat this as a timely patch priority. The impact is contained to the user's browsing session and local system—no server compromise is implied.
Affected systems
Google Chrome is the primary affected product. The vulnerability also affects Chrome variants and integrations on major platforms: Apple macOS, Microsoft Windows, and Linux systems running Chrome. Any organization or individual using Chrome versions prior to 149.0.7827.53 is at risk. Chromium-based browsers (Edge, Brave, Opera, etc.) built from vulnerable Chromium source may also be affected; verify vendor advisories for those products separately. Enterprise Chrome deployments managed via mobile device management (MDM) or browser policies should prioritize updates.
Exploitability
Exploitability is moderate. An attacker must host or inject a malicious HTML page and socially engineer or lure a user to visit it—there is no wormable vector or in-the-wild self-propagation mechanism. However, the attack is reliable once a user visits the page, requires no additional browser configuration, and leaves minimal forensic traces if the user does not inspect network logs. The Medium CVSS score (6.8) reflects this balance: network-reachable, high confidentiality and integrity impact, but requiring user action and offering no availability impact. No evidence of active exploitation in the wild has been reported at the time of this writing, and the vulnerability was not flagged for inclusion in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Update Google Chrome to version 149.0.7827.53 or later. The fix addresses the SVG rendering logic to properly enforce script boundaries and prevent injection into unintended origins. For enterprise environments, deploy updates via your MDM solution or through Chrome's auto-update mechanism. Verify that auto-update is enabled; Chrome normally updates in the background and prompts users to relaunch the browser. For users unable to update immediately, mitigate by avoiding untrusted websites and disabling JavaScript execution via browser settings (though this is not practical for general web browsing).
Patch guidance
Verify the installed Chrome version by navigating to chrome://settings/help; the browser will check for and apply updates automatically. If an update is available, relaunch Chrome to complete the process. Enterprise administrators should monitor Chrome rollout via your management console and confirm version adoption across your fleet. No manual configuration changes are required post-update. Rollback is not necessary unless the new version introduces a regression; in that case, report the issue to Google and remain on the previous patched version only temporarily.
Detection guidance
Monitor browser crash logs and JavaScript errors for anomalous SVG processing on potentially compromised client machines. Detection at the network level is difficult since the attack occurs within the browser sandbox during normal HTTPS traffic. Endpoint detection and response (EDR) tools should monitor for unusual child processes spawned from Chrome (potential post-exploitation activity). Web access logs showing visits to known malicious domains can provide indirect evidence. Consider browser isolation or sandboxing technologies (e.g., browser-in-the-cloud) for high-risk users to contain potential exploitation.
Why prioritize this
Prioritize this patch because (1) it affects a ubiquitous browser used by nearly all organizations, (2) exploitation requires only social engineering rather than a network-accessible service, (3) data theft impact is direct and high-value, and (4) the fix is a straightforward automatic update with no breaking changes. The Medium severity and lack of zero-day status mean this is not an emergency-response priority, but it should be completed within standard patch cycles (1–2 weeks for high-touch users, 2–4 weeks for general population).
Risk score, explained
The CVSS 3.1 score of 6.8 (Medium) is justified by the combination of high confidentiality and integrity impact (C:H, I:H—attackers can read and modify page data), network accessibility (AV:N), lack of privilege requirements (PR:N), but moderate attack complexity due to user interaction requirement (AC:H, UI:R) and lack of scope escalation (S:U). The score appropriately reflects that this is a client-side browser vulnerability with real but not critical impact—it does not enable system compromise, only session hijacking and data theft at the web application layer.
Frequently asked questions
Can this vulnerability be exploited if a user simply visits an affected website, or is additional action required?
A user must visit a specifically crafted malicious HTML page. Simply visiting a normal website will not trigger the vulnerability. An attacker would need to control a website, compromise a legitimate website's content, or use phishing to direct users to a malicious domain. Normal browsing of trusted sites carries no added risk.
Does this affect Chrome extensions or only web pages?
The vulnerability is in Chrome's core SVG rendering for web pages. Chrome extensions run in a different security context and are not directly affected by this flaw. However, if an extension renders untrusted web content (which is rare and discouraged), it could be indirectly exploited.
Will macOS, Windows, and Linux users all need to patch Chrome separately?
No. Google Chrome is a cross-platform application that is updated uniformly. The same version number (149.0.7827.53 or later) applies to all operating systems. Each platform receives updates through the same Chrome update mechanism, so you only need to ensure Chrome is up to date—the OS does not matter.
If a user has auto-update enabled, do they need to take manual action?
Chrome's auto-update will download and apply the fix in the background. The user must relaunch the browser for the new version to take effect. They may see a prompt to relaunch; completing that step finalizes the patch. No manual download or installation is needed.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. CVSS scores, affected versions, and remediation guidance are based on vendor advisories and should be verified against Google's official security bulletin and your own testing before deployment. Exploitability assessments are subject to change as threats evolve. Always consult official vendor documentation and your organization's security policy before making patch decisions. SEC.co does not accept liability for patch decisions or security outcomes resulting from this guidance. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability