CVE-2026-0628

high

Description

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)

References

References
More

https://www.theregister.com/2026/03/03/google_chrome_bug_gemini/

https://www.malwarebytes.com/blog/news/2026/03/chrome-flaw-let-extensions-hijack-geminis-camera-mic-and-file-access

https://securityaffairs.com/188807/security/chrome-security-flaw-enabled-spying-via-gemini-live-assistant.html

https://www.securityweek.com/vulnerability-allowed-hijacking-chromes-gemini-live-ai-assistant/

https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/

https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html

https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

https://issues.chromium.org/issues/463155954

https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html

Details

Source: Mitre, NVD

Published: 2026-01-07

Updated: 2026-01-12

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00008