{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1504", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-01-27T20:08:27.853Z", "datePublished": "2026-01-27T20:46:35.796Z", "dateUpdated": "2026-01-27T21:16:21.039Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "144.0.7559.110", "status": "affected", "lessThan": "144.0.7559.110", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-27T20:46:35.796Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html"}, {"url": "https://issues.chromium.org/issues/474435504"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:15:06.101399Z", "id": "CVE-2026-1504", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:16:21.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:15:06.101399Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:14:54.925Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "144.0.7559.110", "lessThan": "144.0.7559.110", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html"}, {"url": "https://issues.chromium.org/issues/474435504"}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-01-27T20:46:35.796Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1504", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:16:21.039Z", "dateReserved": "2026-01-27T20:08:27.853Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-01-27T20:46:35.796Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3E547F7-E289-4BCF-8788-32ACFE165948", "versionEndExcluding": "144.0.7559.110", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-1504", "lastModified": "2026-02-06T17:45:56.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-27T21:16:00.480", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/474435504"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Inappropriate implementation in Background Fetch API", "id": "2433556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433556"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-1504", "public_date": "2026-01-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1504\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1504\nhttps://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html\nhttps://issues.chromium.org/issues/474435504"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T01:56:44.394836+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 144.0.7559.110 or later.", "If updating is unavailable, disable the Background Fetch API via Chrome's enterprise policy by setting BackgroundFetchAllowed to false or BackgroundSyncEnabled to false.", "For organizations, block access to known malicious URLs and monitor browser logs for background fetch events to detect potential abuse."], "summary": {"action": "Patch", "impact": "Cross-origin data leak via Background Fetch API"}, "threat_synthesis": {"affected_systems": "Affected are all Google Chrome releases before 144.0.7559.110. The vulnerability exists in Desktop Chrome for Windows, macOS, and Linux in the stable channel and has been reported in Chromium's issue tracker under 474435504. Any user who opens a malicious web page while using one of those affected Chrome versions is susceptible.", "description_and_impact": "The Background Fetch API implementation in Google Chrome up to version 144.0.7559.110 contains an oversight that permits a remote attacker to retrieve data from origins different from the one that served the malicious page. An attacker can craft an HTML page that initiates a background fetch request to a target domain. Due to improper origin checks, Chrome returns the response payload to the malicious page, leaking cross\u2011origin information. This flaw is a CWE-200 exposure of sensitive information to an unauthorized actor and also can be considered a CWE-284 improper access control issue.", "risk_and_exploitability": "The CVSS score is 6.5, classifying the issue as high severity from Chrome's perspective, but the EPSS score is below 1%, indicating a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack requires a user to visit a crafted web page in Chrome; no additional privileged access or network connections are needed. Once the attack vector is activated, data from the target origin is returned to the malicious page, allowing an attacker to exfiltrate sensitive information."}}}}, "created": "2026-01-28T12:22:06.179282+00:00", "updated": "2026-04-18T02:00:10.471785+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-200", "CWE-284"]}