PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11291 Google CVE debrief

A vulnerability was discovered in Google Chrome on Android, specifically in the Android Autofill feature. This issue, tracked as CVE-2026-11291, allowed a remote attacker to bypass the same origin policy via a crafted HTML page. The vulnerability was rated as Low severity by Chromium and has a CVSS score of 4.3, which categorizes it as MEDIUM severity.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-08
Advisory published
2026-06-05
Advisory updated
2026-06-08

Who should care

Users of Google Chrome on Android, particularly those who may be exposed to crafted HTML pages from untrusted sources, should be aware of this vulnerability.

Technical summary

The vulnerability was caused by an inappropriate implementation in Android Autofill in Google Chrome on Android prior to version 149.0.7827.53. This allowed a remote attacker to bypass the same origin policy, potentially leading to unintended access or data exposure.

Defensive priority

The vulnerability has a CVSS score of 4.3 and is rated as MEDIUM severity. While it is not considered High severity, it still requires attention, especially for users who may be targeted by crafted HTML pages.

Recommended defensive actions

  • Update Google Chrome on Android to version 149.0.7827.53 or later to patch the vulnerability.
  • Be cautious when accessing HTML pages from untrusted sources, as they may be crafted to exploit this vulnerability.

Evidence notes

The CVE record and details were obtained from official sources, including CVE.org and the National Vulnerability Database (NVD).

Official resources

CVE-2026-11291 was published on 2026-06-05T00:17:06.727Z and modified on 2026-06-08T16:37:09.850Z.