{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5894", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:41.121Z", "datePublished": "2026-04-08T21:20:56.746Z", "dateUpdated": "2026-04-08T21:20:56.746Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Inappropriate implementation"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:56.746Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/481882038"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-5894", "lastModified": "2026-04-08T22:16:29.290", "metrics": {}, "published": "2026-04-08T22:16:29.290", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/481882038"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:39:47.819938+00:00", "value": {"mitigation_remediation": ["Update to Chrome version 147.0.7727.55 or later using the stable channel,", "Ensure that automatic updates are enabled on all machines to receive future patches promptly", "If an update cannot be applied immediately, use enterprise policies or extensions to block or restrict navigation to untrusted domains", "Monitor Chrome release notes and issue trackers for further mitigation recommendations"], "summary": {"action": "Patch Immediately", "impact": "Navigation Restriction Bypass"}, "threat_synthesis": {"affected_systems": "All installations of Google Chrome before release 147.0.7727.55 on desktop platforms are affected. The issue applies to all operating systems supported by the stable channel as it stems from the core PDF rendering engine shared across them.", "description_and_impact": "In Chrome versions prior to 147.0.7727.55, a flaw in PDF handling allows a remote attacker to craft an HTML page that forces the browser to navigate to an arbitrary URL while bypassing the browser\u2019s navigation restrictions. The inappropriate implementation in the PDF component leads to a controlled redirect that does not honor the usual security checks. This can enable an attacker to direct a user to malicious sites, potentially facilitating phishing or other social engineering attacks. The vulnerability does not provide direct code execution and is classified with low severity by Chromium security. While the impact is limited, the fact that a crafted page can alter navigation flows could be leveraged in malicious campaigns.", "risk_and_exploitability": "The CVSS assessment rates this vulnerability as low and the EPSS score is not available, indicating a lower likelihood of widespread exploitation. The flaw can be triggered from any web page that the victim visits, requiring no local privileges or advanced setup. Attackers could embed the crafted page in a website or email to exploit the navigation bypass. Although not currently listed in the CISA KEV catalog, the risk is moderate due to the potential for phishing campaigns that rely on redirecting users to attacker-controlled domains."}}}}, "created": "2026-04-09T08:16:58.420999+00:00", "title": "Remote Navigation Restriction Bypass via Crafted PDF in Chrome", "updated": "2026-04-09T08:26:24.617012+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-79"]}