CVE-2026-13977 Overview
CVE-2026-13977 is a Universal Cross-Site Scripting (UXSS) vulnerability in the HTMLParser component of Google Chrome versions prior to 150.0.7871.47. The flaw stems from an inappropriate implementation that allows a remote attacker to inject arbitrary scripts or HTML through a crafted HTML page. Successful exploitation requires user interaction, typically visiting a malicious page. Google Chromium classifies the security severity as Medium, and the vulnerability maps to CWE-79, Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can inject arbitrary scripts or HTML into trusted origins through the HTMLParser, bypassing the same-origin policy and enabling session theft, credential harvesting, and browser-context data disclosure.
Affected Products
- Google Chrome versions prior to 150.0.7871.47 (Stable channel, Desktop)
- Chromium-based browsers sharing the vulnerable HTMLParser code path
- Downstream distributions bundling pre-patch Chromium builds
Discovery Timeline
- 2026-06-30 - CVE-2026-13977 published to the National Vulnerability Database
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-13977
Vulnerability Analysis
CVE-2026-13977 is a Universal Cross-Site Scripting (UXSS) issue rooted in Chrome's HTMLParser. Unlike traditional reflected or stored XSS, UXSS abuses a browser-level parsing flaw to execute script in the context of any origin the victim visits. The vulnerability requires network-based delivery and user interaction, but no privileges or prior authentication.
A successful attack can lead to disclosure and modification of data rendered within the browser. Because the injection occurs at the parser layer, standard site-level defenses such as output encoding on the target application do not prevent exploitation. The vulnerability is tracked in the Chromium Issue Tracker.
Root Cause
The defect resides in how the HTMLParser handles specific crafted markup. Inappropriate parsing decisions cause attacker-controlled content to be interpreted as active script or HTML within an unintended security context. This falls under [CWE-79], where the parser fails to properly neutralize input before it is incorporated into the rendered document tree.
Attack Vector
Exploitation is remote and requires the victim to load a malicious HTML page or a page that embeds attacker-controlled content through an iframe, ad slot, or compromised third-party resource. Once the crafted markup is parsed, the injected script runs with the privileges of the targeted origin, enabling theft of cookies, tokens, and DOM content. No further privileges or local access are required.
Because no verified public proof-of-concept has been released, detailed exploitation code is not reproduced here. See the Google Chrome Releases advisory for vendor guidance.
Detection Methods for CVE-2026-13977
Indicators of Compromise
- Chrome browser processes on endpoints reporting a version string earlier than 150.0.7871.47.
- Outbound requests to unfamiliar domains hosting HTML payloads containing malformed or obfuscated tag structures targeting parser edge cases.
- Browser telemetry showing unexpected cross-origin script execution or document.cookie access from embedded frames.
Detection Strategies
- Inventory Chrome and Chromium-based browser versions across the fleet and flag any installation below 150.0.7871.47.
- Inspect web proxy logs for user navigations to newly registered or low-reputation domains delivering HTML content shortly before suspicious authentication events.
- Correlate endpoint browser telemetry with identity provider logs to detect session token reuse from unexpected geolocations following page visits.
Monitoring Recommendations
- Enable enterprise browser reporting to surface version drift and extension anomalies in near real time.
- Monitor Content Security Policy (CSP) violation reports for sudden increases that may indicate parser-level injection attempts.
- Alert on browser child processes spawning unusual utility processes or making unexpected file-system writes after navigation events.
How to Mitigate CVE-2026-13977
Immediate Actions Required
- Update Google Chrome to version 150.0.7871.47 or later on all Windows, macOS, and Linux endpoints.
- Restart browser sessions after patch deployment to ensure the vulnerable parser is fully unloaded from memory.
- Audit Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and apply vendor updates that incorporate the upstream Chromium fix.
Patch Information
Google addressed CVE-2026-13977 in the Stable channel update 150.0.7871.47 for Desktop. Deployment details and release notes are available in the Chrome Releases blog. Enterprises using managed Chrome deployments should push the update through Google Chrome Enterprise policies or their standard patch management workflow.
Workarounds
- Restrict browsing to known-good domains through web filtering while patch rollout is in progress.
- Enforce strict Content Security Policy headers on internally hosted applications to reduce the impact of script injection.
- Disable third-party iframes and untrusted ad networks on high-value web properties until all clients are patched.
# Verify installed Chrome version on Linux/macOS endpoints
google-chrome --version
# Windows PowerShell: query installed Chrome version
(Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion
# Expected minimum patched version: 150.0.7871.47
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

