CVE-2026-11265: Inappropriate implementation in Autofill in Google Chrome prior to 149
Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a cross-origin data leak vulnerability in the Autofill feature of Google Chrome prior to version 149.0.7827.53. A remote attacker can exploit it by serving a crafted HTML page to a target user, with no authentication or interaction required, causing the browser to leak data from cross-origin contexts. Successful exploitation allows the attacker to read sensitive data that should be restricted by the browser's same-origin policy. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-11265 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chromium or Chrome binary. Coverage extends to both registry scans and CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector, and triage is available with per-environment compliance policy weighting to prioritize findings appropriately. Routed alerts reach the correct team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the victim's browser over the network by serving a crafted HTML page from a remote host.
- AuthenticationNot required
No account or credential is needed; the attack is executable by any remote party who can get the victim to load a page.
- Victim interactionNot required
The CVSS vector specifies UI:N, meaning no user action beyond having the vulnerable browser load the attacker-controlled page is necessary.
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- The attacker reads data from cross-origin browser contexts that the same-origin policy is supposed to isolate, such as autofill field contents populated from other origins.
- Sensitive values surfaced by the Autofill feature, including names, addresses, or other form data, become readable to the attacker.
- Confidentiality of browser-side user data is compromised; integrity and availability of the affected system are not impacted by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11265 triggers as soon as the advisory is ingested, matching against any customer image that bundles a Chrome or Chromium binary below version 149.0.7827.53. For customers who opt into auto-remediation, HarborGuard generates a rebuilt image at the patched version, runs a regression test, and opens a PR against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is routed to the designated team inbox with CVSS scoring and affected-image context attached.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N