Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2631 articles · 174640 vulns · 37/41 feeds (7d)
← Back to list
9.1
CVE-2026-13872EXPLOITEDPATCHED
google · chrome

CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed

Description

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: Medium)

Affected Products

VendorProductVersions
googlechrome150.0.7871.47

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
googleandroidcve_cpe95%

References

  • https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html
  • https://issues.chromium.org/issues/497977983

Related News (2 articles)

Tier A
Microsoft MSRC1d ago
Chromium: CVE-2026-13872 Insufficient validation of untrusted input in WebAppInstalls
→ No new info (linked only)
Tier C
VulDB11d ago
CVE-2026-13872 | Google Chrome up to 149.0.7827.201 on Android WebAppInstalls sandbox (ID 497977)
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
150.0.7871.47
CWECWE-20
PublishedJun 30, 2026
Last enriched1d agov3
Trending Score65
Source articles2
Independent2
Info Completeness10/14
Missing: epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-13852EXP
CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed
Trending: 65
CRITICALCVE-2026-13851EXP
CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed
Trending: 65
CRITICALCVE-2026-13785EXP
CVE-2026-13785: Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a use
Trending: 63
HIGHCVE-2026-13778EXP
CVE-2026-13778: Use after free in WebUSB in Google Chrome on Mac prior to 150.0.7871.47 allowed a local attacker to execute arbitrary co
Trending: 60
HIGHCVE-2026-13788EXP
CVE-2026-13788: Use after free in Fullscreen in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to execute arb
Trending: 60

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 30, 2026
Discovered by ZDM
Jun 30, 2026
Updated: description, severity, cvssEstimate, activelyExploited, affectedVersions
Jul 1, 2026
Actively Exploited
Jul 1, 2026
Exploit Available
Jul 1, 2026
Patch Available
Jul 1, 2026
Updated: exploitAvailable
Jul 11, 2026

Version History

v3
Last enriched 1d ago
v3Tier A1d ago

Updated vendor to Microsoft and product to Edge, and marked exploit as available.

exploitAvailable
via Microsoft MSRC
v2Tier C11d ago

Updated severity to CRITICAL, added new affected version 149.0.7827.201, and changed exploit availability status.

descriptionseveritycvssEstimateactivelyExploitedaffectedVersions
via VulDB
v112d ago

Initial creation