CVE-2026-5918
Cross-Origin Data Leak via Navigation Flaw in Chrome Renderer
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: Chrome
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chrome | to 147.0.7727.55 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an inappropriate implementation in the Navigation component of Google Chrome versions prior to 147.0.7727.55. It allows a remote attacker who has already compromised the renderer process to leak cross-origin data by using a specially crafted HTML page.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to unauthorized disclosure of data from different origins, potentially exposing sensitive information that should be isolated by the browser's security model.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote attacker who has compromised the renderer process in Google Chrome to leak cross-origin data via a crafted HTML page.
Such data leakage could potentially expose sensitive personal or protected information, which may impact compliance with data protection regulations like GDPR or HIPAA if exploited.
However, the vulnerability is rated with a low severity score (CVSS 4.3) and requires user interaction, which may limit the risk.
No specific information is provided about direct compliance impact in the available data.