PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11200 Google CVE debrief

CVE-2026-11200 is a medium-severity vulnerability in Google Chrome prior to version 149.0.7827.53. The vulnerability is caused by an inappropriate implementation in WebRTC, which allows a remote attacker to leak cross-origin data via a crafted HTML page. The CVSS score for this vulnerability is 6.5, indicating a medium severity level.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Users of Google Chrome prior to version 149.0.7827.53 should update to the latest version to mitigate this vulnerability. Additionally, developers who use WebRTC in their applications should be aware of this vulnerability and take necessary precautions to prevent cross-origin data leaks.

Technical summary

The vulnerability is caused by an inappropriate implementation in WebRTC, which allows a remote attacker to leak cross-origin data via a crafted HTML page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Defensive priority

Medium

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.53 or later.
  • Use a Web Application Firewall (WAF) to detect and prevent cross-origin data leaks.
  • Implement Content Security Policy (CSP) to restrict the sources of content that can be loaded by the browser.

Evidence notes

The vulnerability was reported by [email protected] and is referenced in the Chrome Releases blog post [ref-4]. The CVE record can be found at [cve-org] and the NVD detail can be found at [nvd].

Official resources

CVE-2026-11200 was published on 2026-06-04T23:17:27.170Z and modified on 2026-06-05T20:42:17.557Z.