MEDIUM 6.5

CVE-2026-11180: Chrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide

Google Chrome versions before 149.0.7827.53 contain a flaw in how SVG (Scalable Vector Graphics) content is handled that could allow an attacker to steal data from other websites. An attacker would need to trick a user into visiting a malicious webpage, but does not require any special browser plugins or user permissions beyond normal browsing. The vulnerability affects Chrome on Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
4 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11180 is a cross-origin data leak vulnerability in Chrome's SVG implementation. The root cause is an inappropriate implementation in the SVG handler that fails to properly enforce same-origin policy boundaries. An attacker crafting a malicious HTML page can exploit this to access sensitive information from cross-origin resources that the victim's browser has access to. The attack vector is network-based with no authentication required, though it does require user interaction (visiting the attacker's page). The vulnerability results in confidentiality loss only; it does not enable data modification or service disruption.

Business impact

This vulnerability poses a direct risk to organizations where employees browse the web using Chrome. An attacker could exfiltrate sensitive business data—such as intranet content, internal APIs, or session-specific information—by embedding malicious SVG content in a webpage and waiting for a user to visit. The impact depends on what cross-origin data is accessible to the victim's session at the time of visit. For security-conscious organizations, this is a confidentiality breach vector that should be addressed promptly.

Affected systems

The vulnerability affects Google Chrome prior to version 149.0.7827.53 across all major operating systems: Windows, macOS, and Linux. The underlying Chromium codebase is shared with other Chromium-based browsers, so confirm whether your organization uses other Chrome derivatives (Edge, Brave, Opera, etc.) and check their patch status separately. Users on Chrome 149.0.7827.53 and later are not vulnerable.

Exploitability

Exploitability is moderate. An attacker must craft a malicious HTML page and convince or trick a user into visiting it—no sophisticated social engineering is required, and standard phishing or ad-placement techniques suffice. Once a user lands on the malicious page, exploitation is automatic and requires no further user action. No special browser settings, extensions, or preconditions are needed. However, the attacker can only leak data that the victim's browser has cross-origin access to, which limits the scope somewhat depending on the target's browsing context and the websites they've visited.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will deploy the patch automatically on most systems, but verify completion especially in managed environments. Organizations using Chromium-based alternatives should check those vendors' advisories for equivalent patch versions. Users should also verify they are running the latest version by navigating to chrome://settings/help, which will trigger an immediate check for updates if needed.

Patch guidance

Google released Chrome 149.0.7827.53 with the fix. The patch is available across Windows, macOS, and Linux. For enterprise deployments using Google Chrome for Business or ChromeOS, verify patch deployment through your device management console. If you manage Chrome via group policy (Windows), mobile device management (MDM), or similar controls, confirm that automatic updates are enabled or manually trigger the update to version 149.0.7827.53 or later. No configuration changes or rollback risks are associated with this patch.

Detection guidance

Monitor Chrome version numbers in your environment using endpoint detection and response (EDR) tools or mobile device management systems. Most organizations can detect unpached systems by querying the Chrome version string (found in chrome://version/). Web proxy or firewall logs may show activity from malicious SVG-hosting sites, though this requires prior intelligence on attack infrastructure. Behavioral indicators are limited because the attack is silent from the user's perspective; focus on version inventory rather than event detection.

Why prioritize this

While the CVSS score is 6.5 (Medium), the practical risk is significant because the attack requires only user interaction—a common occurrence in web browsing—and affects a widely deployed browser used by most organizations' employees. The lack of active exploitation in the wild (not listed on CISA's Known Exploited Vulnerabilities catalog) means you have time to plan, but this is not a low-priority patch. Prioritize based on your risk tolerance and the sensitivity of data accessible via your users' cross-origin sessions.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a Medium severity: network-accessible attack vector, low complexity, no privileges required, but user interaction is mandatory. The impact is confidentiality loss only (high), with no integrity or availability impact. The scope is unchanged (attacker cannot elevate beyond the browser context). This scoring accurately captures the likelihood and impact; however, in practice, the ease of delivering the malicious page and the prevalence of Chrome in enterprise environments may warrant treating this as higher priority than the score alone suggests.

Frequently asked questions

Can an attacker leak specific data, or is it random?

An attacker can target specific cross-origin data if they know or guess what the victim has access to. For example, if a victim is logged into an internal application, the attacker can craft an SVG payload to extract data from that application's endpoints. The attacker cannot see the data themselves until they exfiltrate it, so there is some guesswork involved, but targeted attacks are feasible.

Does Chrome's auto-update mean my organization is already protected?

Most consumer and many enterprise instances of Chrome auto-update automatically. However, if your organization has disabled auto-updates, restricted Chrome to a specific version, or uses a managed version, you must manually verify that systems are running 149.0.7827.53 or later. Check chrome://settings/help on each endpoint to confirm.

Are other browsers like Firefox or Safari affected?

This vulnerability is specific to Chrome's SVG implementation. Firefox, Safari, and other browsers are not affected by this particular flaw. However, all browsers may have their own vulnerabilities; maintain a patching cadence across all browser types in your environment.

If we block SVG files on our proxy, are we protected?

Blocking SVG mime-types or file extensions would mitigate this specific vulnerability, but is not practical for most organizations because legitimate websites rely on SVG for graphics and icons. Patching Chrome is the correct remediation. If your risk tolerance is extremely high, you could supplement patching with content security policy (CSP) headers to restrict SVG sources, but this should not replace patching.

This analysis is based on the official CVE record and vendor advisories as of the publication date. Threat intelligence and exploit availability may change; check CISA's Known Exploited Vulnerabilities catalog and security mailing lists for updates. Version numbers and patch guidance are accurate as of the source data provided; verify against Google's official Chrome security advisories before deployment. This document does not constitute legal or compliance advice; consult your security team and compliance officers regarding prioritization and remediation timelines. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).