MEDIUM 6.1

CVE-2026-11273: Google Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53

Google Chrome versions before 149.0.7827.53 contain a vulnerability in the Omnibox (the address/search bar) that fails to properly validate user input. An attacker can craft a malicious HTML page that, when visited by a user who interacts with the Omnibox through specific UI actions, allows injection of arbitrary scripts or HTML content. This is a cross-site scripting variant (UXSS) that bypasses the normal security boundary between web pages. The attack requires user interaction and social engineering to be effective, but once triggered, can compromise the integrity and confidentiality of the browsing session.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-20, CWE-79
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11273 stems from insufficient input validation in Chrome's Omnibox component. The vulnerability allows Unfiltered Cross-Site Scripting (UXSS) when specific UI gestures are performed on a crafted HTML page. The Omnibox, responsible for parsing and processing user input for navigation and search, does not adequately sanitize or validate untrusted input before processing it in a security-sensitive context. This permits script injection (CWE-79) due to the underlying input validation weakness (CWE-20). The vulnerability affects Chrome on Windows, macOS, and Linux systems. Chromium maintainers classified this as Low severity internally, though the CVSS 3.1 score of 6.1 reflects Medium severity when accounting for the cross-origin scripting impact and user interaction requirement.

Business impact

While the vulnerability requires user interaction, it enables attackers to execute arbitrary JavaScript within the context of the browser, potentially leading to session hijacking, credential theft, malware delivery, or unauthorized actions on behalf of the user across visited websites. For organizations with strict browser security policies, the ability to inject scripts represents a control bypass. The impact is further amplified in environments where Chromebook or Chrome OS deployments are prevalent, or where Chrome is the primary corporate browser. The requirement for social engineering and specific UI gestures somewhat limits mass exploitation, but targeted attacks against high-value users remain feasible.

Affected systems

Google Chrome prior to version 149.0.7827.53 on all supported platforms is affected: Windows, macOS, and Linux distributions. This includes both enterprise and consumer deployments. Any user running an unpatched Chrome version on these operating systems is at risk if they visit a malicious website and interact with the Omnibox as directed by the attacker's payload. The vulnerability does not affect other Chromium-based browsers unless they have adopted the vulnerable code path unchanged.

Exploitability

The exploit chain requires: (1) creation of a crafted HTML page hosted by the attacker, (2) social engineering or phishing to convince a user to visit the page, and (3) the user performing specific UI gestures in the Omnibox (such as typing, selecting text, or invoking autocomplete suggestions). The barrier to exploitation is non-trivial due to the UI gesture requirement and the need for user interaction, which explains the lower Chromium severity rating. However, the attack surface is broad—any website a user visits can be weaponized. The vulnerability is not currently on CISA's Known Exploited Vulnerabilities (KEV) list, indicating no evidence of active in-the-wild exploitation at the time of publication, though this does not preclude future exploitation.

Remediation

Update Google Chrome to version 149.0.7827.53 or later. Chromium's auto-update mechanism will deliver the patch automatically on most systems, though administrators should verify deployment in managed environments. Organizations using Chrome Enterprise can verify patch status via the Chrome Management console. Users on unsupported OS versions (e.g., older Windows or macOS) should verify vendor support status and apply any available security updates from their OS vendor. Consider deploying browser policies that restrict navigation to untrusted domains or require additional confirmation for address bar interactions if feasible within your security framework.

Patch guidance

Patch availability: Google Chrome 149.0.7827.53 or later. Deployment approach: (1) Consumer users: Enable automatic updates and restart Chrome. Check Settings > About Chrome to force immediate update. (2) Enterprise/Managed: Deploy via Chromium Enterprise release channels (stable, beta, dev). Use your Mobile Device Management (MDM) or Group Policy infrastructure to enforce minimum version requirements. (3) Verification: Confirm patch application by checking Chrome://version or navigating to Settings > About Chrome and confirming version is 149.0.7827.53 or higher. No known breaking changes or compatibility issues associated with this patch have been reported.

Detection guidance

Detection approaches: (1) Network monitoring: Flag HTTP/HTTPS traffic to domains known for XSS payload delivery or malicious HTML hosting; correlate with Chrome Omnibox interaction patterns if telemetry is available. (2) Endpoint security tools: Monitor for Chrome process anomalies or unexpected script execution within Chrome's sandbox following Omnibox interaction events. (3) User awareness: Educate users to avoid typing sensitive queries or credentials directly in the Omnibox if prompted by unsolicited website content. (4) Proactive patching: Scan managed endpoints for Chrome version < 149.0.7827.53 and prioritize remediation in accessible-to-external-users scenarios. No specific IOCs (indicators of compromise) are known, as the vulnerability is in input handling rather than a backdoor or command-and-control pattern.

Why prioritize this

Prioritize this patch for deployment within 30 days in most environments. Reasoning: (1) Medium CVSS (6.1) with cross-site scripting impact is not critical but significant; (2) broad platform coverage (Windows, macOS, Linux) means risk exposure is widespread; (3) user interaction requirement and active social engineering barrier reduce immediate critical risk; (4) no evidence of active exploitation (KEV list status: false) allows for orderly, planned deployment rather than emergency response; (5) Chrome's auto-update mechanism means many consumer users will be protected automatically, reducing overall exposure velocity. Organizations with high-risk user populations (e.g., those handling sensitive data or subject to targeted attacks) should accelerate to 14-day timeframe.

Risk score, explained

CVSS 3.1 score of 6.1 (Medium) reflects: Attack Vector (Network) = maximum exposure via web; Attack Complexity (Low) = no special conditions needed beyond a crafted page; Privileges Required (None) = unauthenticated attacker; User Interaction (Required) = a user must perform specific Omnibox gestures, raising the bar somewhat; Scope (Changed) = the vulnerability impacts resources beyond the vulnerable component (other visited websites via script injection); Confidentiality (Low) and Integrity (Low) impacts due to potential data exfiltration or DOM modification; Availability (None) = no denial-of-service vector. The CVSS score is appropriate for a UI-dependent XSS variant with network-wide reachability but non-trivial interaction requirements.

Frequently asked questions

Does this vulnerability affect Chromium-based browsers like Edge, Brave, or Opera?

Not directly, unless those browsers have adopted the vulnerable Omnibox code from Chromium without modification. Microsoft Edge and other Chromium derivatives typically receive patches through their own release cycles. Check your browser vendor's advisory for confirmation. This CVE is specifically attributed to Google Chrome.

If I have Chrome set to auto-update, am I protected?

Yes, provided auto-update is enabled and your device is online and periodically reboots or is kept running so Chrome can apply updates. Consumer Chrome typically auto-updates within days of patch release. Enterprise users should verify auto-update settings via their MDM or Group Policy configuration to ensure it is not disabled.

What should I do if I suspect I visited a malicious page before patching?

First, update Chrome immediately to 149.0.7827.53 or later. Then, run a full antivirus/anti-malware scan on your device to check for persistent threats. Review browser extension list and installed software for unauthorized additions. If you entered sensitive information (passwords, credit card data) in that session, change those credentials on a clean device. Monitor your accounts for unauthorized activity for at least 30 days.

Why is this vulnerability rated 'Low' by Chromium but 'Medium' by CVSS?

Chromium's internal severity rating (Low) reflects the engineering team's assessment of the specific technical impact and exploitability constraints within their threat model. CVSS 3.1 (Medium, score 6.1) applies the standard industry scoring framework, which weights cross-site scripting, network accessibility, and scope-change impacts more heavily. Both are correct within their respective contexts; use CVSS for enterprise risk management and Chromium ratings for context on how Google prioritizes patch development.

This analysis is provided for informational purposes and reflects publicly available information as of the publication and modification dates. The vulnerability details, CVSS score, and patch versions are sourced from authoritative Chromium and NIST CVE records. Organizations should verify patch availability and compatibility within their own environments and follow their internal change management and testing protocols before deployment. SEC.co makes no warranties regarding the completeness or real-time accuracy of this intelligence. For official guidance, consult Google Chrome's official security advisory and your organization's patch management policy. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).