The Anthropic Claude Chrome Extension was affected by a combined origin validation error and DOM-based XSS vulnerability (CVSS 7.5, no assigned CVE) that enabled zero-click indirect prompt injection from any malicious website, with downstream risks including session token theft, browser session hijacking, and unauthorized autonomous actions. Both underlying flaws have been resolved — the extension was patched in v1.0.41 and the Arkose Labs XSS component was independently remediated on 2026-02-19. Organizations should verify all enterprise endpoints are running v1.0.41 or later via browser management console and audit Claude conversation logs for any anomalous prompt patterns during the exposure window between responsible disclosure (2025-12-27) and patch deployment.