{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5899", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:42.721Z", "datePublished": "2026-04-08T21:20:58.656Z", "dateUpdated": "2026-04-08T21:20:58.656Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:58.656Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/474817168"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-5899", "lastModified": "2026-04-08T22:16:29.787", "metrics": {}, "published": "2026-04-08T22:16:29.787", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/474817168"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:38:02.180851+00:00", "value": {"mitigation_remediation": ["Apply the latest Chrome update (\u2265147.0.7727.55).", "Verify that your browser is current before visiting unknown or suspicious sites.", "Avoid performing the specific history navigation gestures with untrusted pages when possible."], "summary": {"action": "Update Chrome", "impact": "User-Interface XSS via History Navigation in Chrome 147"}, "threat_synthesis": {"affected_systems": "The flaw affects Google Chrome versions prior to 147.0.7727.55. All operating systems running these earlier Chrome releases are susceptible; newer releases include the bug fix and are unaffected.", "description_and_impact": "Chromium\u2019s policy enforcement for History Navigation failed to guard against the injection of arbitrary scripts or HTML when a user performed specific UI gestures on a crafted web page. An attacker who successfully lures a user into such gestures could cause the browser to execute malicious code embedded in the page, leading to style or script collateral damage but not necessarily full system compromise. The vulnerability is considered a low\u2011severity UXSS, implying limited impact on confidentiality or integrity should the user remain within the same browser context.", "risk_and_exploitability": "The CVSS score is low and no EPSS data is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating a modest risk to the wider community. Successful exploitation requires user engagement and explicit UI gestures, which are typically achieved through a social\u2011engineering front. Because the attacker must convince a user to interact with a specially crafted page, the likelihood of widescale automatic exploitation is low, but targeted phishing attacks could still achieve the necessary conditions."}}}}, "created": "2026-04-09T08:16:53.543095+00:00", "title": "UXSS via History Navigation in Chrome 147", "updated": "2026-04-09T08:26:19.635883+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-79"]}