This vulnerability in Cisco IOS XE Software bootloader affects Catalyst 9200, ESS9300, IE9310/9320, and IE3500/3505 series switches, allowing authenticated local attackers with level-15 privileges or unauthenticated attackers with physical access to execute arbitrary code at boot time and bypass the chain of trust. An attacker can manipulate loaded binaries to circumvent integrity checks during boot, enabling execution of non-Cisco-signed images. While the CVSS score is 6.1 (Medium), Cisco assigned it a High Security Impact Rating due to the critical nature of breaking the secure boot mechanism, a foundational security control.
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal SAML SSO - Service Provider module due to improper neutralization of user input during web page generation. All versions prior to 3.1.3 are affected, allowing attackers to inject malicious scripts that execute in the browsers of users interacting with SAML authentication flows. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), and while no CVSS score or EPSS data is currently available, the nature of XSS in authentication modules represents a significant risk to credential theft and session hijacking.
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal UI Icons module due to improper neutralization of user input during web page generation. This vulnerability affects UI Icons versions 0.0.0 through 1.0.0 and versions 1.1.0 through 1.1.0, allowing attackers to inject malicious scripts that execute in the context of victim browsers. No CVSS score, EPSS data, or confirmed KEV status is currently available; however, the XSS classification and Drupal reporting indicate this requires prompt patching to versions 1.0.1 or 1.1.1.
Cisco Meraki devices running vulnerable IOS XE Software transmit configuration data over unencrypted channels, enabling remote attackers to intercept sensitive device information through on-path attacks. The vulnerability requires user interaction and network proximity but carries no patch availability, leaving affected organizations exposed until remediation is implemented. This affects both Cisco and Apple products integrating the vulnerable software.
Denial-of-service attacks against multiple Apple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) result from improper null pointer handling that allows attackers in privileged network positions to crash affected systems. An attacker exploiting this CWE-476 vulnerability can render devices unavailable without user interaction. No patch is currently available, requiring users to apply mitigations until updates are released.
OpenEMR versions prior to 8.0.0.3 contain a SQL injection vulnerability in the MedEx recall/reminder processing code where user-controlled variables are concatenated directly into SQL queries without parameterization or type casting. An authenticated attacker with high privileges can exploit this to extract, modify, or delete sensitive healthcare data from the database. While the CVSS score of 5.9 is moderate, the attack requires high privilege level (PR:H) and high complexity (AC:H), but the confidentiality and integrity impacts are severe given the medical context.
IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.
An off-by-one error in fontconfig before version 2.17.1 allows a one-byte out-of-bounds write in the FcFontCapabilities function within fcfreetype.c during sfnt capability handling. This vulnerability affects all versions of fontconfig prior to 2.17.1 across multiple platforms, potentially enabling local attackers without special privileges to crash the application or execute arbitrary code. A patch is available through the official fontconfig GitLab repository, and given the memory corruption nature of the defect, exploitation is feasible on systems with fontconfig-dependent applications.
IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
Mattermost fails to properly validate user identity in OpenID Connect authentication logic due to an overly permissive substring matching flaw in the IsSameUser() comparison function, allowing attackers with high privileges to take over arbitrary user accounts through the user discovery flow. This affects Mattermost versions 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0. While the CVSS score of 5.7 is moderate and requires high privilege access and user interaction, the core impact is account takeover with full account compromise possible.
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with low privileges to access sensitive information they should not be authorized to view. An attacker on the same network segment with valid user credentials can bypass authorization controls to read confidential data, though they cannot modify or delete information. A vendor patch is available, and this vulnerability should be prioritized for organizations running affected versions as it enables privilege escalation and data exfiltration within trusted network environments.
A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.
A NULL pointer dereference vulnerability exists in the Linux kernel's mac80211 mesh networking subsystem (CVE-2026-23279), specifically in the mesh_rx_csa_frame() function which fails to validate the presence of the Mesh Channel Switch Parameters IE before dereferencing it. A remote attacker with an established mesh peer link can trigger a kernel panic by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes matching Mesh ID and configuration elements but omits the required Channel Switch Parameters IE. This vulnerability affects all Linux kernel versions since v3.13 (January 2014) and requires no special authentication beyond the default open mesh peering, making it a trivial denial-of-service vector against systems with mesh networking enabled.
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to upload files with dangerous types due to missing input validation. An authenticated attacker with manager privileges can exploit this to upload malicious files, potentially leading to code execution or system compromise. The vulnerability affects all versions prior to 9.2.1, and a patch is available; no public exploit code has been confirmed, but the moderate CVSS score of 5.5 reflects the high integrity impact combined with the requirement for elevated privileges.
Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are vulnerable to a stack overflow vulnerability that can be triggered by user interaction with a malicious app, potentially causing denial-of-service conditions. The vulnerability stems from insufficient input validation and affects multiple recent OS versions across Apple's product ecosystem. While no patch is currently available, users should exercise caution when installing apps from untrusted sources.
A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.
This vulnerability affects multiple Linux kernel HID (Human Interface Device) drivers that lack proper validation checks when processing raw event callbacks from unclaimed HID devices. An attacker could connect a malicious or broken HID device to trigger a NULL pointer dereference in affected drivers, causing a kernel crash and denial of service. The vulnerability was identified as a gap in security hardening following a similar fix applied to the appleir driver, and patches are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.
A divide-by-zero vulnerability exists in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc offload implementation that can crash the kernel when processing malformed traffic scheduling configurations. The vulnerability affects all Linux kernel versions with the ETS scheduler module enabled, and a local privileged user (or attacker with CAP_NET_ADMIN capability) can trigger a kernel panic by crafting specific netlink messages via the tc (traffic control) utility. While no public exploit code has been confirmed in the wild, the condition is easily reproducible and results in immediate kernel crash, making this a high-priority local denial-of-service vector.
A credential disclosure vulnerability exists in the Linux kernel's Dell WMI System Management (dell-wmi-sysman) module where the set_new_password() function performs hex dumps of memory buffers containing plaintext password data, including both current and new passwords. This affects all Linux kernel versions with the vulnerable dell-wmi-sysman driver, allowing local attackers with access to kernel logs or debug output to extract sensitive authentication credentials. While no CVSS score, EPSS probability, or active KEV status is currently assigned, the patch availability across six stable kernel branches indicates the vulnerability has been formally addressed by the Linux kernel maintainers.
This vulnerability is an AB-BA deadlock in the Linux kernel's PHY (Physical Layer) LED trigger subsystem that occurs when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled simultaneously. The deadlock arises because PHY LED triggers are registered during the phy_attach phase while holding the RTNL lock, then attempting to acquire the triggers_list_lock, while the netdev LED trigger code does the reverse—holding triggers_list_lock and attempting to acquire RTNL. This deadlock affects all Linux kernel versions with the affected PHY and LED trigger subsystems enabled (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while not directly exploitable for privilege escalation, it can be triggered to cause a system hang or denial of service by users with network configuration privileges or via userspace LED sysfs writes.
A use-of-uninitialized-variable vulnerability exists in the Linux kernel's radiotap parser that can lead to information disclosure when processing radiotap frames with undefined fields. The vulnerability affects all Linux kernel versions using the radiotap namespace parser (cpe:2.3:a:linux:linux) and occurs when undefined radiotap field 18 is present, causing the iterator->_next_ns_data variable to be compared against an uninitialized value. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation, the vulnerability has been patched across multiple kernel branches as evidenced by six distinct commit fixes.
The Linux kernel kalmia USB driver fails to validate that connected USB devices have the required endpoints before binding to them, allowing a malicious or malformed USB device to trigger a kernel crash during endpoint access. This denial-of-service vulnerability affects all Linux kernel versions running the kalmia driver (net/usb/kalmia.c) and requires physical USB device connection or local control of USB device enumeration. While no CVSS score or EPSS probability is formally assigned, the vulnerability has been patched across multiple stable kernel branches, indicating recognition of the issue's severity.
A locking initialization vulnerability exists in the Linux kernel's CAN BCM (Broadcast Manager) socket implementation where the bcm_tx_lock spinlock is not properly initialized in the RX setup path, creating a race condition when RX_RTR_FRAME flag processing attempts to transmit frames. This affects all Linux kernel versions with the vulnerable CAN BCM code, and while no public exploit is known, the vulnerability could lead to kernel memory corruption or denial of service if the uninitialized lock is accessed during concurrent RTR frame handling.
A deadlock vulnerability exists in the Linux kernel's mcp251x CAN bus driver where the mcp251x_open() function calls free_irq() while holding the mpc_lock mutex during error handling, causing the function to deadlock if an interrupt occurs simultaneously. This affects all Linux kernel versions with the vulnerable mcp251x driver code, and while not actively exploited in the wild (no KEV status indicates no in-the-wild exploitation), it represents a local denial of service condition where a user with appropriate device access can trigger driver initialization failures that hang the system.
A logic error in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem causes drbd_al_begin_io_nonblock() to fail silently when activity log extent acquisition fails due to spinlock contention, leading to loss of mutual exclusivity guarantees between resync and application I/O operations. This vulnerability affects all Linux kernel versions with the affected DRBD code and can result in kernel crashes via BUG_ON() assertions when activity log references are incorrectly released, as well as potential data consistency issues during active resync operations when concurrent application I/O proceeds without proper exclusivity enforcement.
A memory management vulnerability in the Linux kernel's EFI boot services implementation causes a leak of approximately 140MB of RAM on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, particularly affecting resource-constrained EC2 instances with 512MB total RAM. The vulnerability occurs when efi_free_boot_services() attempts to free EFI boot services memory before the kernel's deferred memory map initialization is complete, resulting in freed pages being skipped and never returned to the memory pool. This is a kernel-level memory exhaustion issue affecting all Linux distributions, though impact is most severe on systems with minimal RAM; no active exploitation or proof-of-concept has been identified as this is a resource leak rather than a code execution vector.
A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.
A kernel stack memory leak exists in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function, where 4 bytes of uninitialized kernel stack memory are leaked to user space through the rsvd (reserved) field of the irdma_create_ah_resp structure. This information disclosure vulnerability affects all Linux kernel versions with the vulnerable irdma driver code, allowing any unprivileged user with access to RDMA operations to read sensitive kernel stack data. While no CVSS score or EPSS metric is currently available, the vulnerability is classified as Information Disclosure and has been patched across multiple stable kernel branches, indicating upstream recognition and remediation.
A resource leak vulnerability exists in the Linux kernel's ETAS ES58X USB CAN driver where URBs (USB Request Blocks) submitted in the read bulk callback are not properly anchored before submission, potentially causing memory leaks when usb_kill_anchored_urbs() is invoked. This affects all Linux kernel versions running the etas_es58x driver. An attacker with local access to trigger device disconnection or system shutdown could cause kernel memory exhaustion through repeated URB leaks, leading to denial of service or information disclosure of kernel memory contents.
A logic error in the Linux kernel's MPTCP (MultiPath TCP) path management subsystem fails to properly track endpoint usage state when an endpoint is configured with both 'signal' and 'subflow' flags and subsequently removed. This causes a kernel warning and potential state inconsistency in the MPTCP connection management code. The vulnerability affects Linux kernel versions and is triggered through netlink socket manipulation by unprivileged users, potentially leading to denial of service or unexpected kernel behavior.
The Linux kernel's kaweth USB driver fails to validate that probed USB devices have the expected number and types of endpoints before binding to them, allowing a malicious or malformed USB device to cause a kernel crash when the driver blindly accesses non-existent endpoints. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches and can be triggered by any user with the ability to connect a crafted USB device to a system running the vulnerable kernel. While CVSS and EPSS scores are not available, the vulnerability represents a straightforward crash vector with no reported active exploitation but patches are available across multiple kernel versions.
A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.
The Linux kernel CIFS client contains an information disclosure vulnerability where debug logging in the cifs_set_cifscreds() function exposes plaintext usernames and passwords in kernel logs when debug logging is enabled. This affects all versions of the Linux kernel with CIFS client support, allowing any local user or administrator with access to kernel logs to recover plaintext SMB credentials. While no CVSS score, EPSS data, or KEV status is publicly available, the severity is elevated due to the direct exposure of authentication credentials in commonly-accessible debug logs.
A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.
A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.
A reference count leak in the Linux kernel's SCSI core subsystem causes the tagset_refcnt reference counter to fail to decrement properly, resulting in resource exhaustion and system hangs during SCSI host teardown. This affects all Linux kernel versions with the vulnerable code path, particularly impacting iSCSI configurations where the leak manifests as indefinite blocking in scsi_remove_host() calls. While not actively exploited in the wild (no KEV status), this is a denial-of-service vulnerability that can be triggered by any user with the ability to manage SCSI sessions or trigger host removal operations.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
A recursive locking vulnerability exists in the Linux kernel's target core configfs implementation where the target_core_item_dbroot_store() function attempts to open a file using filp_open() while already holding a semaphore (frag_sem) acquired in flush_write_buffer(), creating a deadlock condition when the same configfs file is accessed. This affects all Linux kernel versions with the vulnerable target subsystem code, and while no CVSS score or EPSS data is publicly available, the vulnerability has been resolved across multiple stable kernel branches with patch commits available in the kernel git repository, suggesting active acknowledgment of the issue as a legitimate kernel bug requiring remediation.
This vulnerability involves improper resource cleanup in the Linux kernel's NFC PN533 USB driver, where a reference count on the USB interface is not properly released when a device is disconnected. Affected systems include all Linux kernel versions with the vulnerable PN533 driver code, impacting any system using NFC devices based on the PN533 chipset. While this is a resource management issue rather than a direct memory corruption vulnerability, it can lead to information disclosure or denial of service through USB interface resource exhaustion over repeated device attach/detach cycles. The vulnerability has been resolved in the Linux kernel with multiple backported patches available across stable branches.
The pegasus USB network driver in the Linux kernel fails to validate that connected USB devices have the proper number and types of endpoints before binding to them, allowing a malicious USB device to trigger a kernel crash through null pointer dereference or out-of-bounds memory access. This denial-of-service vulnerability affects Linux kernel versions across multiple stable branches, as evidenced by patches applied to at least six different kernel maintenance branches. An attacker with physical access to a target system or the ability to inject a crafted USB device into the network could crash the kernel without authentication or elevated privileges, though no public exploit code or active exploitation in the wild has been reported.
This vulnerability is a resource leak in the Linux kernel's InfiniBand mthca driver within the mthca_create_srq() function, where the mthca_unmap_user_db() cleanup call is missing on the error path. A user with local access can trigger this leak by causing the mthca_create_srq() system call to fail, resulting in persistent kernel memory not being freed, which could lead to denial of service through memory exhaustion. While no CVSS score, EPSS value, or KEV status is documented, the issue affects all Linux kernel versions using the mthca driver and has been patched across multiple stable kernel branches as evidenced by six linked commit fixes.
A race condition in the SiFive PLIC (Platform Level Interrupt Controller) interrupt handling code can cause interrupts to become frozen when interrupt affinity is modified while an interrupt is being processed. The vulnerability affects Linux kernel implementations using the SiFive PLIC irqchip driver, potentially causing system hangs or device unresponsiveness on RISC-V systems. While not actively exploited in the wild, the issue is easily reproducible through concurrent affinity changes and high interrupt load, making it a practical denial-of-service concern for affected systems.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
This vulnerability exists in the Linux kernel's MediaTek Ethernet driver (mtk_eth_soc) where an eBPF program pointer is not properly reset to its previous state if the mtk_xdp_setup() function encounters an error during the mtk_open routine. This resource management flaw can lead to incorrect reference counting of eBPF programs, potentially causing use-after-free or memory leak conditions. All Linux kernel versions with the affected MediaTek Ethernet driver (cpe:2.3:a:linux:linux) are impacted, and the vulnerability has been patched across multiple stable kernel branches as evidenced by six commit references spanning different kernel versions.
A logging issue in Apple's operating systems allows improper data redaction in system logs, enabling installed applications to access sensitive user data that should have been masked. This vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.3 and earlier, iPadOS 26.3 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.3 and earlier, and visionOS 26.3 and earlier. An attacker with the ability to install or control an application on an affected device could exploit inadequate log data filtering to extract confidential user information that should be protected by the operating system's redaction mechanisms.
A logging issue in Apple's operating systems allows improper data redaction, potentially enabling applications to disclose kernel memory contents. This information disclosure vulnerability affects iOS and iPadOS (versions prior to 18.7.7 and 26.4), macOS (Sequoia 15.7.5, Sonoma 14.8.5, Tahoe 26.4), visionOS 26.4, and watchOS 26.4. An untrusted application with standard execution privileges could exploit this to read sensitive kernel memory that should have been redacted from logs, potentially exposing cryptographic material, memory addresses useful for ASLR bypass, or other privileged information. No CVSS score, EPSS data, or public proof-of-concept has been disclosed at this time, and this does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog.
This vulnerability involves improper handling of symbolic links in Apple operating systems that could allow an application to access user-sensitive data without proper authorization. The flaw affects iOS and iPadOS versions prior to 26.3, macOS Sequoia versions prior to 15.7.4, macOS Sonoma versions prior to 14.8.4, and macOS Tahoe versions prior to 26.3 and 26.4. An attacker with the ability to execute code in a sandboxed application context could potentially bypass security restrictions to access protected user information, though no active exploitation in the wild has been confirmed at this time.