CVE-2026-14145 in Chromeinfo

Summary

by MITRE • 07/01/2026

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability identified in Google Chrome versions prior to 150.0.7871.47 represents a cross-site scripting issue stemming from inadequate handling of CSS implementations that could potentially enable unauthorized code execution. This weakness specifically manifests within the browser's rendering engine where CSS processing fails to properly sanitize or validate input parameters, creating an avenue for malicious actors to inject arbitrary scripts or HTML content through carefully constructed web pages. The vulnerability operates at the intersection of Cascading Style Sheets processing and client-side script execution, exploiting a fundamental flaw in how Chrome handles certain CSS attributes that can be manipulated to bypass security boundaries.

The technical exploitation occurs when a remote attacker crafts an HTML page containing malicious CSS code that leverages specific parsing behaviors within Chrome's CSS engine. This particular implementation flaw allows attackers to inject content that gets interpreted as executable script code rather than being properly sanitized as style information. The vulnerability exists in the browser's Content Security Policy enforcement mechanisms and input validation routines, where CSS attributes are not sufficiently filtered or escaped before being rendered. This particular issue demonstrates how styling elements can be weaponized to bypass traditional security measures that focus primarily on HTML injection points rather than CSS-based attack vectors.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the capability to perform unauthorized actions within the context of a user's browsing session. Users visiting malicious websites could unknowingly have their browsers execute arbitrary code, potentially leading to data theft, session hijacking, or further exploitation through additional vulnerabilities. The low severity classification from Chromium security team reflects the specific nature of the attack vector requiring user interaction and careful crafting of the malicious page, but the potential for abuse remains significant in targeted attacks. This vulnerability affects all users of affected Chrome versions and demonstrates how seemingly benign web technologies can be leveraged for sophisticated attacks.

Mitigation strategies should focus on immediate browser updates to version 150.0.7871.47 or later where the CSS handling routines have been patched to properly validate and sanitize input parameters. Organizations should implement comprehensive security monitoring to detect unusual CSS processing patterns and maintain updated security policies that account for both HTML and CSS-based attack vectors. Network administrators should consider implementing additional layers of protection such as web application firewalls that can detect and block suspicious CSS content, while developers should ensure proper input validation and sanitization in their own applications. This vulnerability aligns with CWE-79 (Cross-site Scripting) and demonstrates techniques related to ATT&CK tactic T1566 (Phishing) and technique T1203 (Exploitation for Client Execution) where attackers leverage browser vulnerabilities to execute malicious code. The patch addresses the root cause by strengthening CSS parsing validation and implementing stricter sanitization routines that prevent the injection of executable content through styling attributes.

Responsible

Chrome

Reservation

06/30/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!