CVE-2026-7939

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-7939
Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html Vendor Advisory
https://issues.chromium.org/issues/492963096 Issue Tracking Permissions Required
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
OR cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

06 May 2026, 23:33

Type Values Removed Values Added
References () https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html - () https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html - Vendor Advisory
References () https://issues.chromium.org/issues/492963096 - () https://issues.chromium.org/issues/492963096 - Issue Tracking, Permissions Required
First Time Apple macos
Microsoft windows
Linux
Google chrome
Microsoft
Linux linux Kernel
Google
Apple
CPE cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

06 May 2026, 22:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
CWE CWE-79

06 May 2026, 19:19

Type Values Removed Values Added
New CVE
Information

Published : 2026-05-06 19:16

Updated : 2026-05-06 23:33

NVD link : CVE-2026-7939

Mitre link : CVE-2026-7939

CVE.ORG link : CVE-2026-7939

JSON object : View

Products Affected

google

  • chrome

microsoft

  • windows

apple

  • macos

linux

  • linux_kernel
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')