PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11001 Google CVE debrief

CVE-2026-11001 is a medium-severity vulnerability in Google Chrome prior to version 149.0.7827.53. The vulnerability is caused by an inappropriate implementation in Payments, allowing remote attackers who convince a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. The CVSS score for this vulnerability is 6.5, indicating a medium severity level.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-06
Advisory published
2026-06-04
Advisory updated
2026-06-06

Who should care

Users of Google Chrome prior to version 149.0.7827.53 should update to the latest version to mitigate this vulnerability. Additionally, developers and administrators should be aware of this vulnerability and take necessary precautions to protect against potential attacks.

Technical summary

The vulnerability is caused by an inappropriate implementation in Payments in Google Chrome prior to version 149.0.7827.53. This allows remote attackers who convince a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N.

Defensive priority

Medium

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Be cautious when engaging in UI gestures on suspicious websites.

Evidence notes

The vulnerability was reported by [email protected] and has been documented in the Chrome release notes [ref-4]. The CVE record can be found on the CVE.org website [cve-org].

Official resources

CVE-2026-11001 was published on 2026-06-04T23:17:03.837Z and modified on 2026-06-06T17:16:41.393Z.