CVE-2026-0628

HIGH

Google Chrome < 143.0.7499.192 - Insufficient Policy Enforcement in WebView Tag

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-0628. PoCs published by XiaomingX, sastraadiwiguna-purpleeliteteaming, fevar54.

AI-analyzed exploit summary This repository contains a detailed technical writeup and researcher background for CVE-2026-0628, a Chromium WebView privilege escalation vulnerability. It includes in-depth analysis, mitigation strategies, and detection methods but lacks functional exploit code.

Description

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)

Exploits (4)

github WRITEUP 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-0628

This repository contains a detailed technical writeup and researcher background for CVE-2026-0628, a Chromium WebView privilege escalation vulnerability. It includes in-depth analysis, mitigation strategies, and detection methods but lacks functional exploit code.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Chromium <143.0.7499.192, Edge <143.0.3650.139
No auth needed
Prerequisites: Chromium or Edge browser with vulnerable version
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP 1 stars
by sastraadiwiguna-purpleeliteteaming · poc
https://github.com/sastraadiwiguna-purpleeliteteaming/Dissecting-CVE-2026-0628-Chromium-Extension-Privilege-Escalation

This repository provides a detailed technical analysis of CVE-2026-0628, a Chromium WebView privilege escalation vulnerability, including root cause analysis, mitigation strategies, and detection techniques. It does not contain exploit code but offers in-depth research and defensive guidance.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Chromium-based browsers (Chrome <143.0.7499.192, Edge <143.0.3650.139)
No auth needed
Prerequisites: Vulnerable Chromium-based browser · Malicious extension with WebView access
devstral-2 · analyzed Feb 19, 2026 Full analysis →
gitlab WRITEUP
by sastraadiwiguna-purpleeliteteaming · poc
https://gitlab.com/sastraadiwiguna-purpleeliteteaming/dissecting-cve-2026-0628-chromium-extension-privilege-escalation

This repository provides a detailed technical analysis of CVE-2026-0628, a Chromium WebView privilege escalation vulnerability, including root cause analysis, mitigation strategies, and detection techniques. It does not contain exploit code but offers in-depth research and defensive guidance.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Chromium <143.0.7499.192, Edge <143.0.3650.139
No auth needed
Prerequisites: Chromium-based browser with vulnerable WebView policy enforcement
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by fevar54 · poc
https://github.com/fevar54/CVE-2026-0628-POC

This repository contains a functional proof-of-concept for CVE-2026-0628, demonstrating script injection in privileged Chrome pages via the `<webview>` tag. The exploit leverages a missing authorization vulnerability (CWE-862) in Chrome versions prior to 143.0.7499.192.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Google Chrome < 143.0.7499.192
No auth needed
Prerequisites: Chrome extension with `<webview>` tag access · Target running vulnerable Chrome version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0654
EPSS Percentile 92.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (1)
google/chrome < 143.0.7499.192
Published Jan 07, 2026
Tracked Since Feb 18, 2026