CVE-2026-14138
Inappropriate implementation in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a
CVSS
4.2
Medio
EPSS
0.2%
p6
KEV
—
Exploit Today
2
0-100
Publicado: 30 jun 2026 · Última mod.: 1 jul 2026 · CWE-451
0.2%EPSS · 30 días0.2%
2026-07-012026-07-17
Inappropriate implementation in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-38616.5 MED22.4%
——7LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.10dCVE-2026-450646.1 MED21.3%
——6Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.2dCVE-2026-138926.5 MED20.2%
——6Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)16dCVE-2026-487606.1 MED17.8%
——5Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.2dCVE-2026-139856.5 MED16.9%
——5Inappropriate implementation in MediaCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)15dCVE-2026-45150—16.6%
——5Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.2d