Google disclosed CVE-2026-14020 on June 30, 2026, as a medium-severity Chrome WebXR input-validation flaw fixed in desktop Chrome 150.0.7871.47, where a crafted HTML page could enable UI spoofing after an attacker had already compromised the renderer process. The National Vulnerability Database...