CWE-474
AllowedUse of Function with Inconsistent Implementations
Abstraction: Base · Status: Draft
The code uses a function that has inconsistent implementations across operating systems and versions.
12 vulnerabilities reference this CWE, most recent first.
GHSA-QMV8-5R2W-3PX8
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-06 03:31Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11102"
],
"database_specific": {
"cwe_ids": [
"CWE-474"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:15Z",
"severity": "HIGH"
},
"details": "Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)",
"id": "GHSA-qmv8-5r2w-3px8",
"modified": "2026-06-06T03:31:21Z",
"published": "2026-06-05T00:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11102"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/500468338"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHHM-M8M8-J8Q5
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-06 06:30Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11097"
],
"database_specific": {
"cwe_ids": [
"CWE-474"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:15Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-xhhm-m8m8-j8q5",
"modified": "2026-06-06T06:30:28Z",
"published": "2026-06-05T00:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11097"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/500311718"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Do not accept inconsistent behavior from the API specifications when the deviant behavior increase the risk level.
No CAPEC attack patterns related to this CWE.