PatchSiren cyber security CVE debrief
CVE-2026-11007 Google CVE debrief
CVE-2026-11007 is a Medium severity vulnerability in Google Chrome on Android. Insufficient validation of untrusted input in WebView allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
- Vendor
- Product
- Chrome
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Users of Google Chrome on Android prior to version 149.0.7827.53 should apply the update to prevent exploitation.
Technical summary
The vulnerability, tracked as CVE-2026-11007, was caused by insufficient validation of untrusted input in WebView. This allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. The CVSS score for this vulnerability is 6.5, indicating a Medium severity.
Defensive priority
Medium
Recommended defensive actions
- Update Google Chrome on Android to version 149.0.7827.53 or later.
Evidence notes
Evidence from the NVD and Chrome release notes confirm the vulnerability and provide details on the affected versions.
Official resources
-
CVE-2026-11007 CVE record
CVE.org
-
CVE-2026-11007 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Source reference
[email protected] - Permissions Required
CVE-2026-11007 was published on 2026-06-04T23:17:04.503Z and modified on 2026-06-08T18:09:30.310Z.