{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5895", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:41.346Z", "datePublished": "2026-04-08T21:20:57.110Z", "dateUpdated": "2026-04-08T21:20:57.110Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:57.110Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/374285495"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)"}], "id": "CVE-2026-5895", "lastModified": "2026-04-08T22:16:29.397", "metrics": {}, "published": "2026-04-08T22:16:29.397", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/374285495"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:58:30.280829+00:00", "value": {"mitigation_remediation": ["Update Chrome for iOS to version 147.0.7727.55 or later", "Verify that the device is running the latest Chrome update", "Stay informed of further security advisories from Google regarding Chrome for iOS"], "summary": {"action": "Immediate Patch", "impact": "UI Spoofing"}, "threat_synthesis": {"affected_systems": "Chrome for iOS versions earlier than 147.0.7727.55 are affected. Users running any build before this release remain vulnerable until they upgrade the browser to a newer version that includes the UI fix.", "description_and_impact": "An incorrect security UI in Chrome\u2019s Omnibox on iOS allows a remote attacker to display a spoofed URL through a specially crafted domain name. The rendering flaw enables the browser to present altered address information without redirecting the user, enabling deceptive phishing attempts. The weakness involves a UI rendering inconsistency that permits domain manipulation. Google rates this issue as low severity.", "risk_and_exploitability": "No CVSS score is published and the EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a remote attacker to entice a user into visiting a maliciously crafted domain; if the user enters that domain in the address bar, the browser will display the spoofed URL. The impact is limited to user deception and does not provide code execution or direct access to the device. Based on the available information, the risk level is moderate; widespread exploitation has not been reported."}}}}, "created": "2026-04-09T08:16:57.443674+00:00", "title": "Google Chrome iOS Omnibox URL Spoofing Vulnerability", "updated": "2026-04-09T08:26:23.649698+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-1005"]}