Google Chrome vulnerabilities
3,975 known vulnerabilities affecting google/chrome.
Total CVEs
3,975
CISA KEV
74
actively exploited
Public exploits
61
Exploited in wild
65
Severity breakdown
CRITICAL297HIGH2029MEDIUM1630LOW17UNKNOWN2
Vulnerabilities
Page 4 of 199
CVE-2026-5899MEDIUMCVSS 6.1fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5899 [MEDIUM] CWE-346 CVE-2026-5899: Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowe
Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5864MEDIUMCVSS 4.2fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5864 [MEDIUM] CWE-122 CVE-2026-5864: Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker t
Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
cvelistv5nvd
CVE-2026-5906MEDIUMCVSS 4.3≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5906 [MEDIUM] CWE-451 CVE-2026-5906: Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727.55 allowed a remote
Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5900MEDIUMCVSS 4.3fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5900 [MEDIUM] CWE-693 CVE-2026-5900: Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypa
Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5887MEDIUMCVSS 4.3fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5887 [MEDIUM] CWE-20 CVE-2026-5887: Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7
Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5898MEDIUMCVSS 4.3fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5898 [MEDIUM] CWE-451 CVE-2026-5898: Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote att
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5897MEDIUMCVSS 4.3fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5897 [MEDIUM] CWE-451 CVE-2026-5897: Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker
Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5892MEDIUMCVSS 6.6≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5892 CVE-2026-5892: Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote att
Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5891MEDIUMCVSS 4.3≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5891 [MEDIUM] CWE-451 CVE-2026-5891: Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remo
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5893MEDIUMCVSS 6.8fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5893 [MEDIUM] CWE-362 CVE-2026-5893: Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit
Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5895MEDIUMCVSS 5.4fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5895 [MEDIUM] CWE-451 CVE-2026-5895: Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote att
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5880MEDIUMCVSS 4.3≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5880 [MEDIUM] CWE-451 CVE-2026-5880: Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remo
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5919MEDIUMCVSS 6.5fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5919 [MEDIUM] CWE-20 CVE-2026-5919: Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 all
Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5886MEDIUMCVSS 5.3fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5886 [MEDIUM] CWE-125 CVE-2026-5886: Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attac
Out of bounds read in WebAudio in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5896MEDIUMCVSS 6.1fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5896 [MEDIUM] CWE-693 CVE-2026-5896: Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinc
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5903MEDIUMCVSS 6.5fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5903 [MEDIUM] CWE-693 CVE-2026-5903: Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who
Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5894MEDIUMCVSS 4.3≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5894 CVE-2026-5894: Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacke
Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
cvelistv5nvd
CVE-2026-5881MEDIUMCVSS 6.5≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5881 [MEDIUM] CWE-284 CVE-2026-5881: Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacke
Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5885MEDIUMCVSS 6.5fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5885 [MEDIUM] CWE-20 CVE-2026-5885: Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.
Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd
CVE-2026-5888MEDIUMCVSS 6.5fixed in 147.0.7727.55≥ 147.0.7727.55, < 147.0.7727.552026-04-08
CVE-2026-5888 [MEDIUM] CWE-457 CVE-2026-5888: Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to
Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
cvelistv5nvd