Google shipped an emergency update for Chrome on June 30, fixing a high-severity universal cross-site scripting (UXSS) bug that let attackers inject arbitrary code into web pages via a crafted XML file.

Tracked as CVE-2026-14000, the vulnerability affects the stable channel of Google Chrome on Windows, macOS, and Linux. Google’s advisory confirms that a remote attacker could exploit the flaw by tricking a user into opening a maliciously crafted XML document, leading to script injection or HTML payloads in the context of any origin. The fix arrives in Chrome version 150.0.7871.47, and users should update immediately.

The Fix in Chrome 150

The update to Chrome 150.0.7871.47 (and later) addresses CVE-2026-14000, which Google rated as High severity. The vulnerability—an incorrectly handled XML parsing issue—could allow a crafted XML file to bypass the browser’s same-origin policy. In a UXSS attack, an attacker does not need to find a flaw in a specific website; instead, they can inject scripts that run in the context of any domain the victim visits, potentially stealing cookies, authentication tokens, or personal data.

Google’s security advisory does not provide deep technical details, likely to prevent immediate exploitation while the update rolls out. The vulnerability was reported by an external security researcher, whose name will be disclosed once the patch reaches a majority of users.

The stable channel update includes additional fixes for other bugs, but CVE-2026-14000 is the most critical. Chrome 150.0.7871.47 is now available via the browser’s auto-update mechanism and can be manually triggered by navigating to chrome://settings/help.

Who’s Affected and How

Any Chrome installation running a version older than 150.0.7871.47 is vulnerable. This includes:

  • Home users who have not restarted Chrome or who have disabled automatic updates.
  • Enterprise deployments where IT policies delay updates or where legacy systems are pinned to older Chrome versions.
  • Chromium-based browsers that have not yet merged the upstream fix (though this CVE is specific to Google Chrome’s codebase; forks like Edge or Brave may have their own patches).

Exploitation requires a user to open a weaponized XML file—commonly delivered as an email attachment, a download from a malicious site, or embedded in a compromised web page using XML data islands. Once opened, the attacker gains the ability to execute scripts in any origin the browser has loaded, effectively turning the browser into a surveillance tool.

Impact by Audience

For everyday users: The risk is moderate to high. While you need to open a dodgy XML file, attackers often disguise these as invoices, reports, or configuration files. Successful UXSS can steal login sessions for banking, email, and social media without any obvious sign.

For power users and administrators: This is a critical patch. If you manage Chrome for others, the vulnerability undermines browser isolation—a cornerstone of modern security. An attacker who compromises a user’s browser can pivot to internal web applications that rely on single sign-on, potentially exposing corporate data.

For developers: If your web app relies on client-side security guarantees (like frame busting or iframe sandboxing), note that UXSS bypasses these entirely. Review your CSP headers as a defense-in-depth measure, but patching the browser is the only real fix.

The XML Parsing Vulnerability Timeline

June 30, 2026, at 10:30 AM PT, Google published the Chrome 150 stable channel update for desktop. The release notes listed three security fixes, with CVE-2026-14000 receiving top billing. The bug was discovered internally or through responsible disclosure, but Google has not named the researcher yet.

This is not the first Chrome UXSS flaw involving XML parsing. Past examples include CVE-2019-5790, where an integer overflow in XML document handling led to UXSS, and CVE-2020-6454, a use-after-free in the XML parser that also allowed script injection. The recurrence suggests that XML processing remains a challenging attack surface in the Chromium codebase.

Chrome’s security team awarded a bounty for this report, though the amount is undisclosed. Google’s vulnerability reward program typically pays up to $15,000 for High-severity bugs of this nature.

The patch was included in the regular six-week release cycle for Chrome 150, but given the severity, Google likely accelerated its deployment. The advisory does not mention active exploitation in the wild, but it’s not uncommon for such details to surface days after the patch.

Update Chrome Now – And How IT Admins Can Push It

For Individual Users

  1. Open Chrome and click the three-dot menu in the top-right corner.
  2. Go to Help > About Google Chrome.
  3. Chrome will check for updates and automatically download version 150.0.7871.47 (or later).
  4. Click Relaunch when prompted. If you’ve saved open tabs, they’ll restore automatically.

After relaunch, verify the version by revisiting chrome://settings/help. You should see “Chrome is up to date” and the version string starting with 150.0.7871.

For IT Administrators

If you manage Chrome across multiple Windows workstations, you have several deployment options:

  • Group Policy (GPO): Update your administrative templates to the latest version from the Chrome Enterprise download page. Set the “Chrome updates policy” to always allow auto-updates, or use the “Target version” policy to pin to a minimum of 150.0.7871.47.
  • Chrome Browser Cloud Management: Log into the Google Admin console, navigate to Devices > Chrome > Managed browsers, and check the update status for all enrolled endpoints. You can force a restart or set an update deadline.
  • MSI installer: Deploy the latest MSI package (version 150.0.7871) via SCCM, Intune, or your preferred software distribution tool. The MSI package is available from the Chrome Enterprise site.
  • Scheduled update checks: Even if you delay auto-updates via policy, ensure that Chrome checks for updates at least every 10 hours to apply the patch promptly.

For macOS and Linux fleets, use the respective package managers or MDM solutions to push the latest build.

Edge cases: If you run headless Chrome for automated testing, update your Docker images and CI pipelines immediately. The vulnerability can be exploited in headless mode if the browser processes XML content, even without a visible window.

Verify the Fix

You can check for the specific fix by looking at the Chrome release notes page. Google maintains a list of security fixes at https://chromereleases.googleblog.com/search/label/Stable%20updates. Look for the June 30, 2026 entry. The blog post will list “CVE-2026-14000” and a credit to the researcher.

What’s Next for Chrome Security

Chrome’s update cadence means users can expect weekly patches for the stable channel when high-impact vulnerabilities surface. With Chrome 150, Google has also started rolling out new site isolation policies (shipped in earlier milestones) that may reduce the impact of UXSS attacks by further splitting renderer processes. However, these defenses are not a substitute for patching.

Security researchers and browser developers are increasingly focusing on the XML attack surface. The Chromium bug tracker shows multiple open issues related to XML parsing, and Google’s reward program incentivizes deeper fuzzing of these components. Expect more hardening patches in future releases.

For now, the best defense is to treat any XML file from an untrusted source as dangerous—just as you would an executable. And, as always, keep automatic updates turned on.