Skip to main content
CVE-2026-9110 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.

Microsoft Information Disclosure Google Suse Red Hat +1
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2023-7346 MEDIUM This Month

Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Ledger Bitcoin App
NVD
CVSS 4.0
4.1
EPSS
0.0%
CVE-2025-31973 MEDIUM This Month

HCL BigFix Service Management (SM) ships container deployments built on outdated or insecure base images, inheriting known vulnerabilities from those upstream layers rather than introducing a discrete code-level flaw. The CVSS vector (AV:L/PR:H/UI:R) constrains real-world risk significantly: exploitation requires local access, high privileges, and user interaction, making opportunistic remote attack unlikely. The actual exploitability and impact depend entirely on which specific vulnerabilities are present in the underlying base image versions in use. No public exploit code and no CISA KEV listing exist at the time of analysis.

Information Disclosure Bigfix Service Management
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-31985 LOW Monitor

Missing X-Content-Type-Options response header in HCL BigFix Service Management (SM) leaves browsers without MIME-type sniffing protection, creating conditions where malicious or ambiguously typed content served through the application could be misinterpreted and executed by a victim's browser. The CVSS score of 3.7 (Low) reflects genuine constraints: high attack complexity, required low-privilege authentication, and mandatory user interaction all limit realistic exploitability. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV), consistent with its classification as a security misconfiguration rather than a critical flaw.

Information Disclosure Bigfix Service Management
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-47068 LOW POC PATCH GHSA Monitor

Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47099 LOW PATCH Monitor

DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

XSS Telejson
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-45232 LOW PATCH Monitor

Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.

Buffer Overflow Rsync
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy