CVE-2026-11295
📛 CVE Title
CVE-2026-11295
Description
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Overview
- State
- PUBLISHED
- Assigner (CNA)
- Chrome
- CVSS severity
- —
- CVSS score
- —
- CVSS vector
- —
- Effective score
- no score available from CNA, NVD, or AI yet
- CWE(s)
- —
- Reserved
- 2026-06-04
- Published
- 2026-06-04 23:06 UTC
- Last updated
- 2026-06-04 23:06 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/11xxx/CVE-2026-11295.json
AI-forensic CVSS estimate
Used only when a CVE has no official CVSS from its CNA or NVD. An LLM estimates the v3.1 base score from the description; a HIGH/CRITICAL estimate promotes the CVE to a Threat.
No AI estimate yet — it runs automatically once NVD has been checked, or click the button above.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2026-34756
EUVD enrichment is queued; refresh the page in a few seconds.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Chrome |
149.0.7827.53 (affected)
|
— |
Remediations (10)
-
web:app.opencve.io
Inappropriate implementation in WebView in Google Chrome on Android prior to 149..7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
2026-06-05 12:05 UTC -
web:cybersecuritynews.com
Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.
2026-06-05 12:05 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-06-05 12:05 UTC -
web:socradar.io
Google's June 2026 Android Security Bulletin includes a fix for an Android Framework elevation of privilege zero-day tracked as CVE -2025-48595. Google noted the issue "may be under limited, targeted exploitation," which raises the priority for teams managing Android fleets. The bulletin ships two patch levels, 2026 -06-01 and 2026 -06-05, with the latter bundling additional partner, device ...
2026-06-05 12:05 UTC -
web:source.android.com
Security patch levels of 2025-11-01 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version. Within 48 hours after the initial publication of this bulletin, we will release the corresponding source code patches to the Android Open Source Project (AOSP) repository.
2026-06-05 12:05 UTC -
web:support.esri.com
The C version of this patch also includes additional bug fixes not related to security, refer to the updated Issues Addressed with this Patch section for the latest details. April 20, 2026 : The 11.4 version of the Portal for ArcGIS Security 2026 Update 1 Patch is now available.
2026-06-05 12:05 UTC -
web:support.microsoft.com
This cumulative update for Windows 11, version 25H2 and 24H2 (KB5089549) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release. Visit the Windows release health dashboard for the latest status on this release.
2026-06-05 12:05 UTC -
web:vulmon.com
CVE-2026-11295 - Privilege Escalation in Google Chrome WebView on Android Prior to 149..7827.53
2026-06-05 12:05 UTC -
web:www.crowdstrike.com
Microsoft's April 2026 Patch Tuesday addresses 164 CVEs , featuring 8 Critical vulnerabilities, one exploited zero-day, and one disclosed zero-day.
2026-06-05 12:05 UTC -
web:zecurit.com
Get the complete breakdown of Microsoft's June 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .
2026-06-05 12:05 UTC
Vendor references (2)
References embedded in the original CVE record by the assigning CNA.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-11295.json.
{
"containers": {
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "149.0.7827.53",
"status": "affected",
"version": "149.0.7827.53",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Inappropriate implementation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:06:22.634Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/502444677"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-11295",
"datePublished": "2026-06-04T23:06:22.634Z",
"dateReserved": "2026-06-04T17:11:18.366Z",
"dateUpdated": "2026-06-04T23:06:22.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}