{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5898", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:42.491Z", "datePublished": "2026-04-08T21:20:58.284Z", "dateUpdated": "2026-04-08T21:20:58.284Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Incorrect security UI"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:58.284Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/470295118"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-5898", "lastModified": "2026-04-08T22:16:29.690", "metrics": {}, "published": "2026-04-08T22:16:29.690", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/470295118"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:38:26.545260+00:00", "value": {"mitigation_remediation": ["Update Google Chrome on all iOS devices to version 147.0.7727.55 or newer. ", "Verify that the update is successfully applied before visiting untrusted sites."], "summary": {"action": "Patch Immediately", "impact": "UI Spoofing"}, "threat_synthesis": {"affected_systems": "Google Chrome on iOS versions prior to 147.0.7727.55 are affected. The issue exists in the omnibox component, which is the combined address and search bar that appears on the browser's home screen. All iOS devices running versions of Chrome below the mentioned update are vulnerable until they receive the official patch.", "description_and_impact": "An incorrectly implemented security UI in the omnibox of Google Chrome on iOS allows a remote attacker to manipulate the user interface through a specially crafted web page. This flaw can cause users to see a false or misleading security indicator, leading them to believe that a page is secure when it is not. The vulnerability originates from the flawed presentation layer rather than a flaw in underlying security functions, which is why the Chromium Security team classifies it as low severity.", "risk_and_exploitability": "The attack vector is likely remote, requiring the user to visit a malicious web page that contains the crafted content. Although the CVSS score is not provided, the vulnerability is considered low risk by Chromium. EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited public exploitation. Nevertheless, an attacker could use this UI deception to phish credentials or user behavior, so remediation is advised."}}}}, "created": "2026-04-09T08:16:54.503166+00:00", "title": "Chrome iOS Omnibox UI Spoofing Vulnerability", "updated": "2026-04-09T08:26:20.620774+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-200", "CWE-795"]}