{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5891", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:40.426Z", "datePublished": "2026-04-08T21:20:53.739Z", "dateUpdated": "2026-04-08T21:20:53.739Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:53.739Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/487471101"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "id": "CVE-2026-5891", "lastModified": "2026-04-08T22:16:28.990", "metrics": {}, "published": "2026-04-08T22:16:28.990", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/487471101"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:59:07.399762+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 147.0.7727.55 or later."], "summary": {"action": "Patch Update", "impact": "UI Spoofing, Potential Phishing"}, "threat_synthesis": {"affected_systems": "Affected releases are the desktop versions of Google Chrome older than 147.0.7727.55. The issue is noted in the stable channel update for that version, and the references point to the official Chrome release notes.", "description_and_impact": "The vulnerability arises from insufficient policy enforcement in Google Chrome\u2019s browser user interface. A remote attacker who has already compromised the renderer process can craft a malicious HTML page that mimics legitimate UI elements, enabling UI spoofing. The flaw is rated medium severity by Chromium security.", "risk_and_exploitability": "Exploitation requires the renderer process to be compromised, a condition that already indicates a significant breach. With that prerequisite, the attacker can perform spoofing to deceive users into revealing sensitive information or executing unintended actions. Because the EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, the overall exploitation probability is uncertain, but the medium severity suggests a moderate risk that warrants timely patching."}}}}, "created": "2026-04-09T08:17:01.396494+00:00", "title": "Insufficient UI Policy Enforcement Enables Renderer-Based Spoofing in Chrome", "updated": "2026-04-09T08:26:27.491264+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-264", "CWE-1036"]}