CVE-2026-11205: Chrome iOS QR Code UXSS Vulnerability (CVSS 6.1)
Google Chrome on iOS versions prior to 149.0.7827.53 contain a vulnerability that allows attackers to inject malicious scripts or HTML into web pages through crafted QR codes. The attack requires user interaction—specifically, the victim must engage with certain UI gestures in response to the attacker's QR code—but once triggered, the injected content runs with the privileges of the page being viewed. This is a cross-origin scripting (UXSS) issue, meaning the injected code can affect pages from different origins, potentially stealing session cookies, credentials, or sensitive data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted QR code. (Chromium security severity: Medium)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11205 stems from insufficient validation of untrusted input in Chrome's iOS QR code handling. The vulnerability allows universal cross-site scripting (UXSS) through a crafted QR code that, when interacted with via specific UI gestures, bypasses input sanitization and permits arbitrary script or HTML injection. The root cause is classified under CWE-20 (Improper Input Validation). The CVSS 3.1 score of 6.1 (Medium) reflects network-based delivery, low attack complexity, no required privileges, and user interaction as the limiting factors; however, the impact spans confidentiality and integrity across security boundaries (S:C), making this a cross-origin concern rather than single-origin containment.
Business impact
The primary business risk is credential theft and session hijacking. An attacker could craft a QR code—perhaps distributed via email, text message, advertisement, or social media—and trick users into scanning it or engaging with it in specific ways. Once activated, the injected script executes in the context of the victim's browser session, allowing theft of authentication tokens, sensitive form data, or redirection to phishing pages. For organizations that rely on iOS Chrome for corporate access to web-based tools or SaaS platforms, compromise of user sessions could lead to unauthorized access to internal systems, intellectual property theft, or lateral movement. The requirement for user interaction reduces the attack surface compared to drive-by exploits, but QR codes are increasingly common in physical and digital media, making social engineering feasible.
Affected systems
The vulnerability affects Google Chrome for iOS in all versions prior to 149.0.7827.53. Since Chrome on iOS uses WebKit (Apple's browser engine) under the hood, the underlying iOS version may also play a role in patch availability and user reach. Users on iPhone, iPad, or iPod touch running affected Chrome versions are at risk. Organizations with significant BYOD (bring your own device) populations using Chrome on iOS should assess exposure. The vulnerability does not affect Chrome on Android or desktop platforms based on the disclosed scope.
Exploitability
Exploitability is moderate. The attack requires a crafted QR code and user action—the victim must scan the code and perform specific UI gestures to trigger the injection. This is not a zero-click vulnerability; social engineering is required to convince users to engage with the attacker's QR code. Once the QR code is presented and the gesture is performed, the vulnerability is reliable. QR codes are ubiquitous in modern environments (restaurant menus, advertisements, event signage, promotional materials), making them a credible delivery vector. Attackers need only host a crafted code; no sophisticated infrastructure or zero-day exploit kit is necessary. The absence of KEV (Known Exploited Vulnerability) status as of the data snapshot suggests limited evidence of active exploitation in the wild, though that does not preclude attacks post-publication.
Remediation
Users must upgrade Google Chrome on iOS to version 149.0.7827.53 or later. The patch corrects input validation logic to properly sanitize QR code payloads before processing. Organizations should prioritize this update for users whose roles involve handling external links, QR codes, or sensitive web-based applications. Since Chrome on iOS updates are typically automatic (if the device is set to auto-update apps via the App Store), most users should receive the patch without manual intervention. However, users on older iOS versions (pre-iOS 14, for instance) may not be able to install the latest Chrome version; in such cases, organizations should consider enforcing Chrome policy restrictions or recommending alternative browsers.
Patch guidance
Verify that Google Chrome on iOS is running version 149.0.7827.53 or later by opening Settings > Chrome > About Google Chrome (if available) or checking the App Store for updates. For enterprise deployments using Mobile Device Management (MDM), enforce a minimum Chrome version policy and monitor compliance. Users should enable automatic app updates in their iOS App Store settings to receive patches promptly. Organizations can also provide user awareness training emphasizing caution when scanning unfamiliar QR codes, particularly from untrusted sources. Consider disabling QR code scanning functionality in Chrome via MDM settings if your organization's threat model warrants an additional control.
Detection guidance
Detection is challenging because the vulnerability is triggered by user action on a QR code, leaving minimal server-side artifacts. However, organizations can: (1) Monitor web application logs for unusual POST/GET patterns or script execution originating from Chrome on iOS user-agents; (2) Deploy content security policy (CSP) headers on web applications to reduce the impact of injected scripts; (3) Use browser endpoint detection and response (EDR) tools to flag unexpected script execution contexts; (4) Log and alert on credential re-use or session anomalies following QR code interactions (e.g., impossible travel, unusual geographic login source); (5) Implement security awareness training to encourage users to report suspicious QR code prompts. Advanced detection may require analyzing iOS crash logs or network traffic for QR code payloads, but this is resource-intensive and best suited to high-security environments.
Why prioritize this
This vulnerability merits prompt patching despite its Medium CVSS rating because: (1) it affects a widely-used mobile browser on iOS, which is prevalent in corporate and consumer environments; (2) successful exploitation compromises session security and can lead to credential theft—a foundational compromise for lateral movement; (3) the attack vector (QR code + user gesture) is practical and increasingly common in social engineering campaigns; (4) the cross-origin nature (S:C in CVSS) means the impact transcends single-domain containment; (5) users may not immediately recognize a malicious QR code, making prevention difficult without patching. Organizations with BYOD policies, customer-facing web applications, or reliance on mobile workers should prioritize this patch within 2–4 weeks of release.
Risk score, explained
The CVSS 3.1 score of 6.1 (Medium) is anchored to: AV:N (network-based, QR code can be delivered remotely), AC:L (attack complexity is low once a QR code is crafted), PR:N (no privileges required to deliver or scan), UI:R (user interaction required), S:C (scope is changed—injected script can cross origin boundaries), C:L (confidentiality impact is limited to what a script can exfiltrate), I:L (integrity impact is limited to what a script can modify), A:N (no availability impact). The Medium severity reflects that user interaction is a necessary gate; however, the cross-origin scope elevates it beyond a typical XSS. In real-world terms, this is a credential theft and session hijacking risk, not a critical remote code execution—hence the medium rating is appropriate. Organizations with stringent security postures may wish to treat this as high-priority given the practical threat landscape, even if the numeric score is medium.
Frequently asked questions
Does this vulnerability affect Chrome on Android or desktop?
No. CVE-2026-11205 is specific to Chrome on iOS and the insufficient input validation in its QR code handling logic. Chrome on Android and desktop platforms use different code paths and are not affected by this particular vulnerability.
Can the vulnerability be exploited without user interaction?
No. The vulnerability requires the user to scan a crafted QR code and perform specific UI gestures. This is a critical limiting factor; it is not a zero-click or drive-by exploit. Attackers must socially engineer users into interacting with the malicious QR code.
What data is at risk if my session is compromised via this vulnerability?
Any data accessible in the browser session at the time of exploitation is at risk, including session tokens/cookies, form data, authentication credentials, personal information displayed on web pages, and any data accessible via browser APIs. The attacker can also redirect the user to phishing pages or steal data from multiple sites if the user has open tabs.
Is patching sufficient, or do I need additional controls?
Patching is the primary mitigation. However, layered defenses improve protection: enable content security policy (CSP) headers on your web applications, use multi-factor authentication (MFA) to reduce credential compromise impact, monitor for suspicious session activity, and educate users to be cautious about scanning QR codes from unknown sources.
This analysis is provided for informational purposes and should not be construed as legal or professional security advice. Organizations must independently verify patch applicability, test patches in their environments before broad deployment, and align remediation with their risk management and change control procedures. CVSS scores and vulnerability classifications may be updated by vendors; refer to official Google Chrome and Apple security advisories for the authoritative information. This assessment is current as of the publication date; threat landscapes and exploit prevalence may evolve. Consult your security team and vendor documentation for your specific configuration and exposure. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-11008MEDIUMChrome WebAppInstalls Cross-Origin Data Leak (CVSS 6.5)
- CVE-2026-11013MEDIUMChrome Network Input Validation Flaw Enables Memory Data Theft
- CVE-2026-11016MEDIUMChrome Same-Origin Policy Bypass (Medium Severity)
- CVE-2026-11022MEDIUMChrome DevTools Same-Origin Policy Bypass (Medium)
- CVE-2026-11023MEDIUMChrome Same-Origin Policy Bypass in WebAppInstalls