CVE-2026-12024: Insufficient Policy Enforcement in Google Chrome DevTools Allows Same-Origin Policy Bypass
A NVD · · CVE-2026-12024
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key metrics
- EPSS
- 0%
Key insight
A same-origin policy bypass in Chrome DevTools allows attackers to access data from other origins via crafted HTML pages, which is particularly relevant for phishing and data theft scenarios.
Description
CVE-2026-12024 is a high-severity vulnerability in Google Chrome (versions prior to 149.0.7827.115) stemming from insufficient policy enforcement in DevTools. An attacker can supply a crafted HTML page to bypass the same-origin policy and access data from other origins. The vulnerability enables remote attacks without user interaction across the browser boundary. The Chromium project has rated the security severity as high; active exploitation in the wild is not documented, but the vulnerability requires timely patching on endpoints running Chrome.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 0.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational