cve 2026-11034

CVE-2026-11034 is a medium-severity vulnerability in Google Chrome on Android, fixed before version 149.0.7827.53. The flaw involves insufficient validation in the Tab Group Sync feature, which could allow a remote attacker to inject script or HTML via malicious network traffic, leading to universal cross-site scripting (UXSS). A notable aspect of this CVE is a metadata mismatch: the NVD configuration ties the vulnerability to Android, while the public vendor reference points to a desktop stable-channel post, creating confusion for CPE-based asset management. Discussions on WindowsForum highlight this discrepancy and its implications for security teams tracking affected systems.