CVE-2026-15128 Overview
CVE-2026-15128 is a Universal Cross-Site Scripting (UXSS) vulnerability affecting Google Chrome versions prior to 150.0.7871.115. The flaw stems from an inappropriate implementation in the Forms component of the Chromium engine. A remote attacker can inject arbitrary scripts or HTML into the context of another origin by serving a crafted HTML page. Successful exploitation requires user interaction, such as visiting a malicious website. Chromium security engineers rated the underlying issue as High severity, while the NVD assigned a Medium CVSS score reflecting the limited direct impact and required user interaction. The weakness is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of arbitrary origins, bypassing the same-origin policy and potentially stealing session tokens, credentials, or performing actions on behalf of authenticated users.
Affected Products
- Google Chrome desktop versions prior to 150.0.7871.115
- Chromium-based browsers integrating the vulnerable Forms component
- Downstream browsers (Edge, Brave, Opera, Vivaldi) pending vendor updates
Discovery Timeline
- 2026-07-08 - CVE-2026-15128 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15128
Vulnerability Analysis
CVE-2026-15128 is a Universal Cross-Site Scripting (UXSS) issue affecting the Forms subsystem in Chrome. Unlike traditional XSS, UXSS abuses a browser flaw rather than a server-side sanitization gap. This allows attackers to inject scripts into arbitrary origins from a single crafted page. The Forms component handles form submission, autofill, and DOM manipulation across frames. An inappropriate implementation in this handling permits an attacker-controlled document to interact with content it should not access. The result is script or HTML execution in a foreign origin context, enabling session theft, data exfiltration, or authenticated request forgery. The attack requires the victim to visit or interact with a crafted page.
Root Cause
The root cause lies in improper origin or context validation within the Forms implementation in Chromium. When form-related operations cross frame or origin boundaries, the browser fails to enforce the same-origin policy consistently. This lapse permits injected content to be evaluated in a target origin. The condition is tracked in the Chromium Issue Tracker Entry.
Attack Vector
Exploitation occurs over the network. An attacker hosts a malicious HTML page that leverages the Forms flaw to inject markup or JavaScript targeting a different origin. The victim must load the page or perform a triggering interaction such as clicking a link or submitting a form. Once triggered, injected script runs with the privileges of the targeted origin, exposing cookies, DOM contents, and authenticated APIs to the attacker.
No verified public proof-of-concept is available. Technical details are limited to the vendor disclosure in the Google Chrome Update Announcement and the referenced Chromium issue.
Detection Methods for CVE-2026-15128
Indicators of Compromise
- Browser telemetry showing rendering of unexpected inline scripts within trusted origins after navigation from external referrers
- Web proxy logs recording visits to unfamiliar domains immediately followed by anomalous outbound requests to attacker infrastructure
- Endpoint logs indicating Chrome processes below version 150.0.7871.115 interacting with suspicious HTML payloads
Detection Strategies
- Inventory Chrome installations across the fleet and flag any instance running a version prior to 150.0.7871.115
- Monitor DNS and HTTP telemetry for connections to newly registered or low-reputation domains serving HTML forms
- Correlate browser session anomalies, such as unexpected authentication token use, with recent web browsing activity
Monitoring Recommendations
- Ingest browser and endpoint telemetry into a centralized data lake for cross-source correlation and retention
- Deploy web content filtering and TLS inspection where policy allows, focused on high-risk categories such as newly observed domains
- Alert on Chrome update compliance drift by tracking version reporting from managed endpoints
How to Mitigate CVE-2026-15128
Immediate Actions Required
- Update Google Chrome to version 150.0.7871.115 or later on all managed endpoints without delay
- Force browser relaunch through enterprise management tooling to ensure the patch is loaded into active sessions
- Audit Chromium-based third-party browsers and apply corresponding vendor updates as they become available
Patch Information
Google released the fix in the Chrome Stable channel at version 150.0.7871.115. Administrators should validate rollout through Chrome Browser Cloud Management or equivalent MDM/GPO controls. Full release details are available in the Google Chrome Update Announcement.
Workarounds
- Restrict browsing to trusted domains via enterprise URL allowlists until patching completes
- Enforce strict Content Security Policy (CSP) headers on internally hosted applications to reduce the impact of injected script
- Disable or limit form autofill and third-party cookies through enterprise policy to reduce the exploitable surface
# Verify Chrome version on Windows via command line
"%ProgramFiles%\Google\Chrome\Application\chrome.exe" --version
# Verify Chrome version on macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Verify Chrome version on Linux
google-chrome --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

