CVE-2026-15128 in Chromeinfo

Summary

by MITRE • 07/09/2026

Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a cross-site scripting flaw in Google Chrome's form handling mechanism that could be exploited by remote attackers to execute malicious code within the context of the victim's browser session. The issue stems from inadequate input validation and sanitization within the forms component, specifically when processing crafted HTML content that includes script tags or other malicious payloads. This vulnerability falls under the category of Untrusted Input Handling as classified by CWE-20 and aligns with ATT&CK technique T1566.001 for initial access through malicious content. The flaw exists in Chrome versions prior to 150.0.7871.115, where the browser fails to properly sanitize form-related HTML elements during rendering processes, potentially allowing attackers to inject arbitrary scripts that execute when users interact with compromised forms.

The technical exploitation occurs when a malicious actor crafts an HTML page containing specially formatted form elements that bypass Chrome's security mechanisms. The vulnerability manifests as a reflected cross-site scripting vector where attacker-controlled content is injected into the browser's DOM and subsequently executed without proper sanitization. This allows for unauthorized code execution within the context of the user's session, potentially enabling session hijacking, data theft, or further exploitation. The Chromium security severity classification of High indicates the substantial risk posed by this vulnerability, as it can be leveraged to gain unauthorized access to sensitive information and perform actions on behalf of authenticated users.

The operational impact extends beyond simple script execution to encompass potential privilege escalation and persistent threats within compromised browser sessions. Attackers could leverage this vulnerability to steal cookies, session tokens, or other sensitive data from users interacting with maliciously crafted pages. The vulnerability affects all users of affected Chrome versions who encounter malicious content through web forms, making it particularly dangerous in environments where users regularly interact with untrusted websites or receive phishing emails containing compromised form elements. This flaw could be exploited in conjunction with other techniques to establish persistent access or escalate privileges within user sessions.

Mitigation strategies should focus on immediate patching of affected Chrome versions to 150.0.7871.115 or later, which includes the necessary security fixes to properly sanitize form-related HTML content. Organizations should implement network-level protections such as web application firewalls and content filtering systems to detect and block malicious form content. Browser security configurations should be hardened through the implementation of Content Security Policy headers that restrict script execution from untrusted sources. Additionally, user education programs should emphasize the importance of avoiding suspicious websites and email attachments, while security monitoring systems should be configured to detect unusual browser behavior or attempts to inject malicious scripts into form elements. The vulnerability highlights the critical need for comprehensive input validation across all browser components and demonstrates the importance of maintaining up-to-date security patches to protect against evolving threat landscape.

Responsible

Chrome

Reservation

07/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!