{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3063", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-02-23T18:41:53.917Z", "datePublished": "2026-02-23T22:17:19.953Z", "dateUpdated": "2026-02-26T14:44:10.495Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "145.0.7632.116", "status": "affected", "lessThan": "145.0.7632.116", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-23T22:17:19.953Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html"}, {"url": "https://issues.chromium.org/issues/485287859"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3063", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T04:55:34.076430Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:10.495Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3063", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T04:55:34.076430Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T17:08:11.143Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "145.0.7632.116", "lessThan": "145.0.7632.116", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html"}, {"url": "https://issues.chromium.org/issues/485287859"}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-23T22:17:19.953Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3063", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:10.495Z", "dateReserved": "2026-02-23T18:41:53.917Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-02-23T22:17:19.953Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "B343A045-3AF8-43D8-8CE8-79213B669EDA", "versionEndExcluding": "145.0.7632.116", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "278C2D71-0647-4BB6-8A22-5F976FB15862", "versionEndExcluding": "145.0.7632.117", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)"}, {"lang": "es", "value": "Implementaci\u00f3n inapropiada en DevTools en Google Chrome anterior a 145.0.7632.116 permiti\u00f3 a un atacante, que convenci\u00f3 a un usuario de instalar una extensi\u00f3n maliciosa, inyectar scripts o HTML en una p\u00e1gina con privilegios a trav\u00e9s de DevTools. (Gravedad de seguridad de Chromium: Alta)"}], "id": "CVE-2026-3063", "lastModified": "2026-02-25T18:23:42.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-23T23:16:16.107", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/485287859"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Inappropriate implementation in DevTools", "id": "2442074", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442074"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-3063", "public_date": "2026-02-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3063\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3063\nhttps://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html\nhttps://issues.chromium.org/issues/485287859"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[145.0.7632.116,145.0.7632.116)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-17T16:10:55.402936+00:00", "value": {"mitigation_remediation": ["Upgrade Google\u00a0Chrome to version\u202f145.0.7632.116 or later.", "Remove any installed extensions that request broad host permissions or were obtained from untrusted sources.", "Review extension permissions on Chrome\u2019s Extensions page and disable extensions that interact with DevTools or privileged pages."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The issue affects users of Google Chrome browsers before version\u202f145.0.7632.116 on Windows, macOS, and Linux operating systems.", "description_and_impact": "An improper implementation in Google Chrome\u2019s DevTools allows a malicious extension, once installed by a user, to inject scripts or HTML into privileged pages. This facilitates the execution of arbitrary code with the elevated privileges of the browser, essentially enabling a high\u2011impact cross\u2011site scripting attack on the user\u2019s own browser context.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8 and an EPSS score below\u202f1\u202f%, indicating high severity but low likelihood of exploitation. It is not currently listed in the CISA KEV catalog. The most probable attack vector involves social engineering to persuade a user to install a malicious extension that gains access to DevTools and exploits the privilege escalation flaw."}}}}, "created": "2026-02-24T09:54:37.043777+00:00", "updated": "2026-04-17T16:15:22.647662+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-79", "CWE-264"]}