CVE-2026-11297
📛 CVE Title
CVE-2026-11297
Description
Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
Overview
- State
- PUBLISHED
- Assigner (CNA)
- Chrome
- CVSS severity
- —
- CVSS score
- —
- CVSS vector
- —
- Effective score
- no score available from CNA, NVD, or AI yet
- CWE(s)
-
CWE-20 - Reserved
- 2026-06-04
- Published
- 2026-06-04 23:06 UTC
- Last updated
- 2026-06-04 23:06 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/11xxx/CVE-2026-11297.json
AI-forensic CVSS estimate
Used only when a CVE has no official CVSS from its CNA or NVD. An LLM estimates the v3.1 base score from the description; a HIGH/CRITICAL estimate promotes the CVE to a Threat.
No AI estimate yet — it runs automatically once NVD has been checked, or click the button above.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2026-34758
EUVD enrichment is queued; refresh the page in a few seconds.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Chrome |
149.0.7827.53 (affected)
|
— |
Remediations (10)
-
web:techcommunity.microsoft.com
Exchange Online is not impacted by this vulnerability. Mitigations Option 1 (recommended): Exchange Emergency Mitigation (EM) Service For customers who have the Exchange EM Service enabled, Microsoft released the automatic mitigation for Exchange Server 2016, 2019 and SE. The mitigation is already published and is enabled automatically.
2026-06-05 12:05 UTC -
web:thehackernews.com
CVE - 2026 -42897 is exploited in on-prem Exchange; crafted emails enable spoofing, forcing urgent mitigation .
2026-06-05 12:05 UTC -
web:windowsforum.com
On May 14, 2026 , Microsoft disclosed CVE - 2026 -42897, an Exchange Server Outlook Web Access vulnerability affecting on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition, with mitigation available immediately through Exchange Emergency Mitigation Service...
2026-06-05 12:05 UTC -
web:www.bleepingcomputer.com
On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS ...
2026-06-05 12:05 UTC -
web:www.cve.org
At cve .org, we provide the authoritative reference method for publicly known information-security vulnerabilities and exposures
2026-06-05 12:05 UTC -
web:www.forbes.com
Microsoft Exchange users are urged to mitigate a zero-day vulnerability that CISA has confirmed is under active exploitation.
2026-06-05 12:05 UTC -
web:www.frankysweb.de
Microsoft has reported the vulnerability CVE - 2026 -42897 with CVSS 8.1, High severity in all Exchange Server versions. A mitigation is available.
2026-06-05 12:05 UTC -
web:www.helient.com
Microsoft has disclosed a critical vulnerability in Exchange Server under active exploitation. Organizations must implement mitigation strategies immediately.
2026-06-05 12:05 UTC -
web:www.securityweek.com
Microsoft is working to patch CVE - 2026 -42897, an Exchange Server zero-day vulnerability that has been exploited in attacks.
2026-06-05 12:05 UTC -
web:www.techtimes.com
Organizations running on-premises Microsoft Exchange Server are facing a five-day-old zero-day with no permanent fix in sight and a growing list of side-effects from the only protection currently ...
2026-06-05 12:05 UTC
Vendor references (2)
References embedded in the original CVE record by the assigning CNA.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-11297.json.
{
"containers": {
"cna": {
"affected": [
{
"product": "Chrome",
"vendor": "Google",
"versions": [
{
"lessThan": "149.0.7827.53",
"status": "affected",
"version": "149.0.7827.53",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Insufficient validation of untrusted input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T23:06:23.453Z",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"url": "https://issues.chromium.org/issues/502502017"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2026-11297",
"datePublished": "2026-06-04T23:06:23.453Z",
"dateReserved": "2026-06-04T17:11:18.894Z",
"dateUpdated": "2026-06-04T23:06:23.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}