How is CVE-2026-10928 exploited?

Network reachability (required): The attacker delivers the payload over the network; the target Chrome instance must be reachable or the victim must browse to an attacker-controlled page. Authentication (not-required): No account or credential of any kind is needed; the attack works against any unauthenticated browser session. Victim interaction (required): The victim must open a crafted HTML page, making social engineering (phishing link, malicious ad, redirected URL) the necessary delivery mechanism. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental preconditions or race conditions on the attacker.

What is the impact of CVE-2026-10928?

Attacker executes arbitrary code in the browser process, gaining the same filesystem and network access the browser holds. Confidential data visible to the browser (session tokens, saved credentials, page contents) is readable by the attacker. Attacker can write or modify files accessible to the browser process, including cached data and locally stored application state. The browser process can be crashed or made unresponsive, disrupting any workflow or service that depends on the headless Chrome instance.

Back to search

HIGHCVE-2026-10928Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10928: Script injection in Headless in Google Chrome prior to 149

Script injection in Headless in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Script injection in the Headless component of Google Chrome (versions before 149.0.7827.53) allows a remote attacker to execute arbitrary code by delivering a crafted HTML page to a victim. The vulnerability is reachable over the network and requires no authentication, though it does require the victim to open the malicious page. Successful exploitation gives the attacker full code execution in the context of the browser process, enabling data theft, file system tampering, or complete session compromise. A patched-image rebuild at 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome dependency. Any image whose installed Chrome version falls below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weights findings against each customer organization's compliance policy to determine urgency. Routed findings land in the inbox of the team or individual configured to own browser-runtime vulnerabilities in that environment.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available for any image HarborGuard identifies as affected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the payload over the network; the target Chrome instance must be reachable or the victim must browse to an attacker-controlled page.
AuthenticationNot required
No account or credential of any kind is needed; the attack works against any unauthenticated browser session.
Victim interactionRequired
The victim must open a crafted HTML page, making social engineering (phishing link, malicious ad, redirected URL) the necessary delivery mechanism.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental preconditions or race conditions on the attacker.

Blast Radius

Attacker executes arbitrary code in the browser process, gaining the same filesystem and network access the browser holds.
Confidential data visible to the browser (session tokens, saved credentials, page contents) is readable by the attacker.
Attacker can write or modify files accessible to the browser process, including cached data and locally stored application state.
The browser process can be crashed or made unresponsive, disrupting any workflow or service that depends on the headless Chrome instance.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE ingestion for any image bundling a Chrome version below 149.0.7827.53, covering both third-party base images and internally built images. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before remediation, the finding is routed to the appropriate team inbox with CVSS scoring and policy-weighted priority attached. Because this is a network-delivered, victim-interaction exploit, customers running headless Chrome as a server-side rendering or scraping component should also consider network-policy controls that restrict which origins the headless instance is permitted to load until a patched image is deployed.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available