CVE-2026-8007

High

Published: 06 May 2026

Published

06 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score N/A

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

PM-14 Testing, Training, and Monitoring

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

SA-11 Developer Testing and Evaluation

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

SI-10 Information Input Validation

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

SI-8 Spam Protection

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-20

References

https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html
chrome-cve-admin@google.com
https://issues.chromium.org/issues/496399759
chrome-cve-admin@google.com