CVE-2026-0628 is a vulnerability identified in Google Chrome versions prior to 143.0.7499.192, specifically related to insufficient policy enforcement in the WebView tag. The WebView tag is used to embed web content within Chrome extensions or applications. Due to improper enforcement of security policies, an attacker can craft a malicious Chrome extension that, once installed by a user, can inject arbitrary scripts or HTML into privileged pages within the browser context. This injection capability can lead to a full compromise of the browser environment, allowing the attacker to manipulate content, steal sensitive information, or disrupt browser functionality. The attack vector requires social engineering to convince users to install the malicious extension, but no prior privileges or authentication are necessary. The vulnerability is categorized under CWE-862 (Missing Authorization), indicating that the enforcement of access control policies is flawed. The CVSS v3.1 score of 8.8 reflects high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required, but user interaction is necessary. Although no known exploits have been reported in the wild, the potential for exploitation is significant given Chrome's widespread use. The lack of patch links in the provided data suggests that the fix is either integrated into version 143.0.7499.192 or forthcoming, emphasizing the importance of timely updates.

For European organizations, this vulnerability poses a substantial risk due to the widespread use of Google Chrome as a primary web browser in corporate and governmental environments. Successful exploitation can lead to unauthorized access to sensitive data, manipulation of web content, and disruption of browser-based workflows. This can result in data breaches, loss of intellectual property, and operational downtime. Organizations relying on Chrome extensions for business-critical functions are particularly vulnerable, as malicious extensions could bypass intended security controls. The requirement for user interaction (installing an extension) means that phishing or social engineering campaigns could be leveraged to exploit this vulnerability. Given the high CVSS score and the potential for privilege escalation within the browser, the threat could facilitate further lateral movement or persistent access within enterprise networks. The impact extends to compliance risks under GDPR if personal data is compromised. Additionally, sectors such as finance, healthcare, and public administration in Europe, which heavily depend on secure web browsing, face elevated risks.

1. Immediately update all Google Chrome installations to version 143.0.7499.192 or later, where the vulnerability is addressed. 2. Enforce strict enterprise policies to control and whitelist allowed Chrome extensions, preventing unauthorized or unverified extensions from being installed. 3. Implement user awareness training focused on the risks of installing untrusted browser extensions and recognizing social engineering attempts. 4. Utilize endpoint security solutions capable of monitoring and blocking suspicious extension behaviors or unauthorized script injections. 5. Regularly audit installed extensions across organizational devices to detect and remove any potentially malicious or unnecessary extensions. 6. Employ network-level controls to monitor and restrict communications initiated by browser extensions to untrusted external servers. 7. Consider deploying browser isolation technologies for high-risk user groups to contain potential exploitation. 8. Maintain up-to-date incident response plans that include scenarios involving browser-based compromises.