CVE-2026-11169: Chrome XML Injection UXSS Vulnerability – High-Risk Patch Required
Google Chrome versions before 149.0.7827.53 contain a flaw in how they process XML files that allows attackers to inject malicious scripts or HTML content into a webpage, even when normal security protections should prevent it. An attacker would need to trick a user into opening a specially crafted XML file, but once successful, the injected code can execute with the same privileges as the user, potentially stealing data or taking other harmful actions. The vulnerability affects Chrome on Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-91
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted XML file. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11169 is an Unintended Cross-Site Scripting (UXSS) vulnerability stemming from inappropriate XML parsing implementation in Chrome's rendering engine. The flaw exists in CWE-91 (XML Injection) and permits a remote attacker to bypass the Same-Origin Policy by injecting arbitrary scripts or HTML through a malicious XML document. The attack requires user interaction (opening the XML file) but does not require prior authentication or special privileges. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux platforms.
Business impact
This vulnerability creates risk for organizations where users may encounter or be socially engineered into opening untrusted XML files or documents. The ability to execute arbitrary scripts in the browser context could lead to credential theft, session hijacking, malware installation, or exfiltration of sensitive data displayed in the browser. Financial services, healthcare, and other data-sensitive industries should treat this as a priority. Users who browse untrusted websites or email attachments are at elevated risk.
Affected systems
Google Chrome prior to version 149.0.7827.53 on Windows, macOS, and Linux is vulnerable. The vulnerability also affects systems with Chrome rendering components integrated into other applications. End-user systems, managed corporate devices, and Chromebook deployments are all at risk if not promptly updated.
Exploitability
Exploitation requires user interaction (opening a crafted XML file or visiting a malicious webpage that triggers XML parsing), but the attack surface is broad. No special system access or privileged position is needed—any remote attacker can craft and distribute the malicious XML. The attack complexity is low once delivery is successful. The high CVSS score (8.1) reflects the ease of delivery, lack of privilege requirements, and the sensitive impact (high confidentiality and integrity breach).
Remediation
Immediately update Google Chrome to version 149.0.7827.53 or later. Enable automatic updates in Chrome settings to prevent future delays. Organizations should enforce Chrome version policies through mobile device management (MDM) or endpoint management tools. Users should avoid opening XML files from untrusted sources and be cautious with email attachments, especially those claiming to be documents or data exports.
Patch guidance
Google has released Chrome 149.0.7827.53 as the fix. Update via Chrome Settings > About Google Chrome, which will automatically check for the latest version and apply patches. On Windows and Linux, restart Chrome after the update completes. macOS users should also restart the browser. For enterprise deployments, consult your MDM platform to enforce the minimum version requirement. Verify the installed version in Settings > About Google Chrome to confirm the patch is applied.
Detection guidance
Monitor for Chrome version compliance across your organization using endpoint management tools or EDR solutions that inventory installed applications. Look for network indicators such as requests to untrusted or newly registered domains delivering XML payloads, and monitor browser process activity for unusual script execution or DOM manipulation events. Inspect browser console logs and security headers for signs of injected content. If you suspect exploitation, check browser history for unexpected XML file opens or suspicious website visits.
Why prioritize this
The combination of high CVSS (8.1), zero authentication requirements, low attack complexity, and remote deliverability places this vulnerability in the high-priority category for patching. Although Chromium reported it as medium severity, the CVSS assessment reflects significant real-world risk. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but given the straightforward attack vector and the broad Chrome user base, rapid patching is essential before active exploitation becomes widespread.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) is justified by: (1) Network-based attack vector requiring no special access, (2) Low attack complexity with no unusual conditions, (3) No privilege escalation needed, (4) User interaction required but readily achievable through social engineering, (5) High confidentiality impact (data theft), (6) High integrity impact (script/HTML injection), and (7) No availability impact. The vulnerability does not require system-level access, making it a significant threat to individual users and organizations managing large Chrome deployments.
Frequently asked questions
Do I need to take action if Chrome updates automatically?
Automatic updates will eventually deliver version 149.0.7827.53, but timing can vary. Verify your current version in Chrome Settings > About Google Chrome—if you see a version number lower than 149.0.7827.53, manually restart Chrome to complete any pending update. In enterprise environments, do not rely solely on automatic updates; enforce version requirements via policy.
Can this vulnerability be exploited without user interaction?
No, the attack requires a user to open a crafted XML file or interact with a webpage that serves malicious XML. However, attackers can use social engineering (phishing emails with XML attachments, misleading download links) to trick users into opening the file, making the user-interaction requirement a minor barrier in practice.
Are Chromebook users affected?
Yes, Chromebooks run Chrome and are vulnerable until updated. Chromebooks managed by an organization will typically receive updates automatically through Chromebook policy settings, but users should still verify their device is running version 149.0.7827.53 or later.
Is this vulnerability being actively exploited?
As of the most recent information, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation in the wild at this time. However, the ease of exploitation and broad Chrome user base mean organizations should not delay patching.
This analysis is based on available CVE data and Chromium security advisories as of the publication date. Patch version numbers and availability should be verified against official Google Chrome release notes. This vulnerability analysis does not constitute formal security advice and should be validated against your organization's specific environment and risk profile. Always consult vendor advisories and your internal security policy before deploying patches or making enforcement decisions. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment