MEDIUM 4.3

CVE-2026-11245: Chrome UI Spoofing in Payments Component (CVSS 4.3)

CVE-2026-11245 is a user interface spoofing vulnerability in Google Chrome's payment handling system. An attacker can craft a deceptive HTML page that tricks users into believing they are interacting with legitimate payment dialogs or security prompts, potentially leading to credential theft, social engineering, or other forms of user deception. The vulnerability requires user interaction (clicking or engaging with the malicious page) to be exploited, limiting its scope but not eliminating risk in realistic phishing or drive-by attack scenarios.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-451
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an inappropriate implementation in Chrome's Payments component prior to version 149.0.7827.53. It exploits CWE-451 (User Interface (UI) Misrepresentation of Critical Information), allowing attackers to overlay, mimic, or otherwise misrepresent legitimate payment UI elements through crafted HTML. The attack vector is network-based with low attack complexity, and while it does not directly compromise confidentiality or availability, it enables integrity violations through UI spoofing. The CVSS 3.1 score of 4.3 reflects the user interaction requirement and limited direct impact, though Chromium's internal assessment categorized it as low severity.

Business impact

UI spoofing attacks targeting payment flows can erode user trust in your organization's digital transactions, especially if your environment or customers rely on Chrome for e-commerce, SaaS platforms, or financial services. While this vulnerability alone does not steal data directly, it facilitates social engineering and credential harvesting, which can lead to account takeovers, fraudulent transactions, or compliance violations if user payment data is exposed downstream. Organizations handling sensitive payment information should be aware that users may be deceived into bypassing security controls or revealing authentication details.

Affected systems

Google Chrome versions prior to 149.0.7827.53 are affected. The vulnerability also applies to Chrome running on Apple macOS, Linux (Linux kernel), and Microsoft Windows. Organizations should verify the exact Chrome versions deployed in their environment and on end-user machines. Enterprise deployments pinned to older release channels may face an extended exposure window until forced updates are applied.

Exploitability

Exploitation requires a remote attacker to host or inject a crafted HTML page and persuade a user to view it in an affected Chrome version. The barrier to entry is relatively low—no authentication, credentials, or special network positioning is required. However, successful exploitation depends entirely on user interaction and perception; users must believe the spoofed UI is genuine. This makes the attack well-suited for targeted phishing campaigns or compromised websites but less suitable for mass, passive exploitation. The attack is not known to be weaponized in the wild (CVE has not been added to the CISA KEV catalog), though the attack pattern is well-established in fraud and phishing ecosystems.

Remediation

The primary remediation is to update Google Chrome to version 149.0.7827.53 or later across all affected systems. Enterprise administrators should deploy this patch through automated update mechanisms or managed deployment policies. For organizations unable to immediately patch, security awareness training emphasizing verification of payment prompts and warnings about unsolicited payment requests can reduce user susceptibility. Consider supplementing with browser security policies that restrict or monitor payment-related pages in high-risk environments.

Patch guidance

Apply the Chrome update to version 149.0.7827.53 or newer as soon as feasible. For Windows, macOS, and Linux deployments, use your standard patch management process. Chrome's auto-update mechanism should deliver this patch automatically if enabled. Enterprise customers using Chrome Enterprise should consult Google's Chrome release notes and verify patch deployment in their environment. No extended support or backport patches are expected; upgrading to the current stable release is the recommended path.

Detection guidance

Detection is challenging because the vulnerability manifests as visual deception rather than a network signature or system behavior anomaly. Monitor for user reports of suspicious payment dialogs, unusual Chrome behavior, or failed payment attempts on legitimate platforms. Network monitoring for unusual HTML or JavaScript injection attempts into payment pages may surface some variants. Consider deploying browser monitoring tools that flag abnormal payment flow interactions or detect HTML injection patterns. Additionally, review analytics for unexpected abandonment in payment workflows, which may indicate user confusion from spoofed dialogs.

Why prioritize this

This vulnerability warrants prompt but not emergency patching. The CVSS score of 4.3 (Medium severity) reflects limited direct impact and the user interaction requirement, but the attack surface—every user browsing the web—is broad. Prioritization should be calibrated to your organization's exposure: enterprises with high-volume payment processing, e-commerce platforms, or phishing-prone user bases should patch sooner; internal-only or low-transaction environments can follow standard patch cycles. The absence of KEV listing and public exploitation suggests low immediate pressure, but the attack type (UI spoofing) is weaponizable by both commodity phishing toolkits and targeted campaigns.

Risk score, explained

The CVSS 3.1 score of 4.3 places this in the Medium severity band. The network attack vector (AV:N) and low attack complexity (AC:L) reflect easy accessibility, but the requirement for user interaction (UI:R) caps impact. The integrity impact (I:L) captures the ability to deceive users about payment dialogs, while no confidentiality or availability impact is present. Chromium's internal assessment of 'Low' severity reflects their risk tolerance for UI-based deception; SEC.co's CVSS rating of Medium acknowledges the real-world risk in phishing-heavy threat models and environments where user deception directly affects financial or operational security.

Frequently asked questions

Can this vulnerability steal my payment card details directly?

No. The vulnerability enables UI spoofing, meaning an attacker can trick you into believing you're interacting with a legitimate payment dialog. However, it does not directly compromise encrypted payment data. The real risk is that you might be deceived into entering credentials, CVV numbers, or other sensitive information into a fake form, or clicking a malicious link that leads to a separate attack. Always verify payment pages by checking the URL, site certificate, and official branding.

Do I need to patch immediately, or can I wait for the regular update cycle?

Waiting for the regular Chrome update cycle is acceptable for most organizations, as the vulnerability is not listed in CISA's KEV catalog and is not known to be actively exploited. However, if your organization processes payments, handles sensitive user data, or operates in a high-phishing environment, prioritize patching within 1–2 weeks. Chrome typically auto-updates, so check your deployment settings to ensure patches are applied automatically.

What platforms are affected?

Google Chrome versions prior to 149.0.7827.53 on Windows, macOS, and Linux are all affected. If you use Chrome on any of these operating systems, verify your version in Chrome Settings > About Chrome and update if necessary. Other Chromium-based browsers (Edge, Brave, Opera) may also be affected depending on their release cycles; check with those vendors.

How can I tell if I've been attacked via this vulnerability?

Most users won't detect this attack because it's a visual deception. You might notice unusual payment dialog prompts, requests for information you'd normally not provide, or payment failures on legitimate sites. If you suspect you've been targeted, review your recent browser history, check your bank and payment account statements for unauthorized activity, and enable two-factor authentication if you haven't already. Report suspicious activity to your organization's security team.

This analysis is based on publicly available information as of the publication date. Patch version numbers and timelines should be verified against official Google Chrome security advisories and your organization's supported release channels. No exploit code or proof-of-concept is provided. Organizations should conduct internal testing before deploying patches in production environments. This vulnerability analysis does not constitute professional security advice; consult your security team or a qualified professional for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).