{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0628", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-01-05T23:32:30.339Z", "datePublished": "2026-01-06T23:57:00.488Z", "dateUpdated": "2026-02-26T15:04:55.900Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "143.0.7499.192", "status": "affected", "lessThan": "143.0.7499.192", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-06T23:57:00.488Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/463155954"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T04:55:23.481914Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:55.900Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T04:55:23.481914Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T13:47:56.440Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "143.0.7499.192", "lessThan": "143.0.7499.192", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/463155954"}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-06T23:57:00.488Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0628", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:55.900Z", "dateReserved": "2026-01-05T23:32:30.339Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-01-06T23:57:00.488Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3CA58B4-E298-4CAF-91FC-6570689DC687", "versionEndExcluding": "143.0.7499.192", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)"}], "id": "CVE-2026-0628", "lastModified": "2026-01-12T16:48:33.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-07T12:17:07.093", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/463155954"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:10:55.195367+00:00", "value": {"mitigation_remediation": ["Upgrade Chrome to version 143.0.7499.192 or later.", "Remove or block any untrusted or suspicious extensions that the user has installed.", "Apply enterprise policies to restrict extension installation or enforce a whitelist of approved extensions."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Google Chrome for desktop. All releases prior to 143.0.7499.192 are vulnerable, until the policy enforcement fix is applied in the stated version. Users on earlier or equal versions should review their installed extensions for potential risks.", "description_and_impact": "Google Chrome versions prior to 143.0.7499.192 lacked sufficient policy enforcement on the WebView tag, allowing an attacker who persuaded a user to install a malicious extension to inject arbitrary scripts or HTML into a privileged page. This flaw can enable the execution of code with elevated privileges in the context of the web page, potentially compromising user data and the security of the host system. The vulnerability is classified as high severity with a CVSS score of 8.8.", "risk_and_exploitability": "The exploitation probability (EPSS) is reported as less than 1%, indicating a very low likelihood of widespread attacks at the present time. However, the absence of a known exploit in the CISA KEV catalog does not negate the risk. Attackers must convince users to install a malicious Chrome extension, after which they can leverage the vulnerability to inject code into privileged pages. The high impact combined with low EPSS suggests that organizations should still prioritize mitigation, especially if they allow extension installations or handle sensitive data."}}}}, "created": "2026-01-07T10:08:08.967988+00:00", "title": "Privilege Escalation via Malicious Extension in Chrome's WebView Tag", "updated": "2026-04-18T08:15:15.894243+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}