{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5900", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-04-08T19:34:42.921Z", "datePublished": "2026-04-08T21:20:59.034Z", "dateUpdated": "2026-04-08T21:20:59.034Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "147.0.7727.55", "status": "affected", "lessThan": "147.0.7727.55", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Policy bypass"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-04-08T21:20:59.034Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/475265304"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low)"}], "id": "CVE-2026-5900", "lastModified": "2026-04-08T22:16:29.890", "metrics": {}, "published": "2026-04-08T22:16:29.890", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/475265304"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "chromium-browser: Policy bypass in Downloads", "id": "2456763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456763"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-807", "details": ["A policy bypass flaw was found in the Downloads component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=475265304"], "name": "CVE-2026-5900", "public_date": "2026-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5900\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5900\nhttps://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html\nhttps://issues.chromium.org/issues/475265304"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[147.0.7727.55,147.0.7727.55)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T22:57:38.793017+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 147.0.7727.55 or later."], "summary": {"action": "Patch Update", "impact": "Remote Download Bypass"}, "threat_synthesis": {"affected_systems": "All desktop installations of Google Chrome with versions earlier than 147.0.7727.55 are affected. The issue is not limited to a specific operating system; any platform that runs Chrome in this vulnerable version range can be targeted.", "description_and_impact": "A crafted HTML page can cause Google Chrome to automatically download multiple files without prompting the user, bypassing the browser\u2019s built\u2011in multi\u2011download protection. This flaw allows an attacker to trigger the acquisition of arbitrary content, potentially including malware or other unwanted files, without the user\u2019s explicit consent. The weakness arises from improper enforcement of download policies, effectively granting the attacker elevated permissions to initiate downloads.", "risk_and_exploitability": "Chromium classifies the severity of this issue as Low and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a malicious web page delivered over the network; an unsuspecting user who opens that page may trigger the automatic downloads. Because the flaw does not provide arbitrary code execution, the risk is moderate, yet it remains a vector for phishing and malware delivery when the user is unaware of the downloads."}}}}, "created": "2026-04-09T08:16:52.525650+00:00", "title": "Chrome Multi-Download Protection Bypass via Crafted HTML Page", "updated": "2026-04-09T08:26:18.637091+00:00", "vendors": ["google", "google$PRODUCT$chrome"], "weaknesses": ["CWE-284", "CWE-285"]}