CVE-2026-11291
📛 CVE Title
CVE-2026-11291
Description
Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Overview
- State
- PUBLISHED
- Assigner (CNA)
- Chrome
- CVSS severity
- —
- CVSS score
- —
- CVSS vector
- —
- Effective score
- no score available from CNA, NVD, or AI yet
- CWE(s)
- —
- Reserved
- 2026-06-04
- Published
- 2026-06-04 23:06 UTC
- Last updated
- 2026-06-04 23:06 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/11xxx/CVE-2026-11291.json
AI-forensic CVSS estimate
Used only when a CVE has no official CVSS from its CNA or NVD. An LLM estimates the v3.1 base score from the description; a HIGH/CRITICAL estimate promotes the CVE to a Threat.
No AI estimate yet — it runs automatically once NVD has been checked, or click the button above.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2026-34752
EUVD enrichment is queued; refresh the page in a few seconds.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Chrome |
149.0.7827.53 (affected)
|
— |
Remediations (10)
-
web:cyberinsider.com
Microsoft has released the May 2026 Patch Tuesday updates for Windows 11, fixing 97 security vulnerabilities across the Windows ecosystem. This month's updates include fixes spanning Windows components, Microsoft Office, Azure services, SQL Server, SharePoint, Hyper-V, .NET, and multiple cloud platforms.
2026-06-05 12:05 UTC -
web:cybersecuritynews.com
Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.
2026-06-05 12:05 UTC -
web:github.com
CVE ID: CVE - 2026 -41091 Vulnerability Type: Improper Link Resolution Before File Access (CWE-59 - Link Following) Affected Component: Microsoft Malware Protection Engine Root Cause: Defender fails to properly resolve links/junctions during cloud-tagged file remediation /rollback, allowing redirection of privileged writes. Impact: Local authenticated attacker can escalate from standard user to ...
2026-06-05 12:05 UTC -
web:msrc.microsoft.com
The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services, and provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.
2026-06-05 12:05 UTC -
web:nvd.nist.gov
An official website of the United States government Here's how you know
2026-06-05 12:05 UTC -
web:www.lansweeper.com
Which vulnerabilities, issues, and other things did Microsoft update? Discover what's new using Lansweeper's Patch Tuesday May 2026 summary.
2026-06-05 12:05 UTC -
web:www.oracle.com
This Critical Patch Update contains 481 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2026 Critical Patch Update: Executive Summary and Analysis.
2026-06-05 12:05 UTC -
web:www.rapid7.com
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday, including critical RCE in Netlogon and the Windows DNS client.
2026-06-05 12:05 UTC -
web:www.windowscentral.com
A faulty BitLocker configuration is forcing some PCs into BitLocker recovery mode after the April 2026 update, but there's a workaround to resolve this issue.
2026-06-05 12:05 UTC -
web:zecurit.com
Get the complete breakdown of Microsoft's June 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .
2026-06-05 12:05 UTC
Vendor references (2)
References embedded in the original CVE record by the assigning CNA.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-11291.json.
{
"containers": {
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "149.0.7827.53",
"status": "affected",
"version": "149.0.7827.53",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Policy bypass",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:06:21.005Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/502346855"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-11291",
"datePublished": "2026-06-04T23:06:21.005Z",
"dateReserved": "2026-06-04T17:11:17.285Z",
"dateUpdated": "2026-06-04T23:06:21.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}