How is CVE-2026-11169 exploited?

Network reachability (required): The attacker delivers the crafted XML file over the network, so the target Chrome instance must be reachable or the user must be browsing to attacker-controlled content. Authentication (not-required): No account or credential is needed; the attacker only needs the victim to open a crafted file or visit a crafted page. Victim interaction (required): The victim must open or load a specially crafted XML file, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions or environmental preconditions on the attacker.

What is the impact of CVE-2026-11169?

Reads session cookies, authentication tokens, and any sensitive data accessible to the current browser origin. Injects and runs arbitrary JavaScript across any origin the browser session has open, bypassing the same-origin policy. Modifies displayed page content in the victim's browser, enabling credential-harvesting overlays or UI redress attacks.

Back to search

HIGHCVE-2026-11169Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-11169: Inappropriate implementation in XML in Google Chrome prior to 149

Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted XML file. (Chromium security severity: Medium)

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

Universal Cross-Site Scripting (UXSS) via inappropriate XML handling in Google Chrome prior to version 149.0.7827.53. A remote attacker can reach this vulnerability over the network without authentication, but requires the victim to open a crafted XML file. Successful exploitation allows the attacker to inject and execute arbitrary scripts or HTML across any origin the browser has access to, disclosing sensitive data and tampering with page content. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or vendor a Chrome binary. Any image carrying a Chrome version below 149.0.7827.53 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 HIGH and weights it further against each environment's compliance policy, so teams with stricter browser-security requirements receive elevated routing. Triage tickets are delivered to the appropriate team inbox inside each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed for an affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted XML file over the network, so the target Chrome instance must be reachable or the user must be browsing to attacker-controlled content.
AuthenticationNot required
No account or credential is needed; the attacker only needs the victim to open a crafted file or visit a crafted page.
Victim interactionRequired
The victim must open or load a specially crafted XML file, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions or environmental preconditions on the attacker.

Blast Radius

Reads session cookies, authentication tokens, and any sensitive data accessible to the current browser origin.
Injects and runs arbitrary JavaScript across any origin the browser session has open, bypassing the same-origin policy.
Modifies displayed page content in the victim's browser, enabling credential-harvesting overlays or UI redress attacks.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 149.0.7827.53 are flagged as soon as the CVE is ingested, typically within minutes of publication. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at Chrome 149.0.7827.53, runs a regression test pass against the rebuilt image, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts auto-remediation, the flagged image and fix version are surfaced in the dashboard for manual review and promotion. Customers who cannot update immediately should consider network-policy controls that restrict which internal services load untrusted XML content in a Chrome-based context, reducing the exposure window until the patched image is promoted.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available