PatchSiren cyber security CVE debrief
CVE-2026-11097 Google CVE debrief
A medium-severity vulnerability, CVE-2026-11097, was found in Google Chrome's WebView on Android. This issue, caused by an inappropriate implementation, allows remote attackers to leak cross-origin data via a crafted HTML page. The vulnerability has a CVSS score of 6.5 and was published on 2026-06-04.
- Vendor
- Product
- Chrome
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-09
Who should care
Users of Google Chrome on Android, particularly those who may be exposed to crafted HTML pages from untrusted sources, should be aware of this vulnerability.
Technical summary
The vulnerability is caused by an inappropriate implementation in WebView in Google Chrome on Android prior to version 149.0.7827.53. This allows a remote attacker to leak cross-origin data via a crafted HTML page. The Chromium security severity is classified as Medium.
Defensive priority
Medium
Recommended defensive actions
- Update Google Chrome to version 149.0.7827.53 or later to mitigate the vulnerability.
- Be cautious when accessing HTML pages from untrusted sources, as they may be crafted to exploit this vulnerability.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4] and [ref-5].
Official resources
-
CVE-2026-11097 CVE record
CVE.org
-
CVE-2026-11097 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Permissions Required
CVE-2026-11097 was published on 2026-06-04 and modified on 2026-06-09.