Skip to main content
CVE-2026-32999 CRITICAL PATCH Act Now

Remote code execution in Comet Backup server allows a tenant administrator to inject arbitrary code into the backup agent signing module via insufficient character filtering, ultimately running code with elevated privileges on the Comet server and on connected backup agent devices. The vendor advisory links the issue to the branding configuration path, and no public exploit has been identified at time of analysis. Combined with a Scope:Changed CVSS:3.1 score of 9.0, successful exploitation pivots from a single tenant context into the underlying server and downstream endpoints.

RCE Code Injection Comet Backup
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-46833 CRITICAL NEWS Act Now

Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.

Information Disclosure Oracle
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-9891 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted Chrome Extension exploiting a use-after-free in the Extensions component. Chromium rates the underlying flaw as Critical severity, though no public exploit has been identified at time of analysis and EPSS exploitation probability sits at 0.03% (11th percentile).

Google Use After Free Denial Of Service Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-9881 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS versions prior to 148.0.7778.216 allows attackers to break out of the browser's renderer sandbox via a use-after-free flaw in the Bluetooth component. Exploitation requires convincing a user to install a malicious Chrome Extension, which then triggers the bug through crafted extension interactions. Chromium rates this Critical severity; no public exploit identified at time of analysis and EPSS remains low (0.01%) despite the high CVSS of 9.0.

Google Use After Free Denial Of Service Memory Corruption Chrome
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-42305 HIGH PATCH GHSA This Week

Arbitrary file write leading to remote code execution in Dulwich (pure-Python Git implementation) versions >= 0.10.0 and < 1.2.5 allows attackers controlling a Git repository to plant files inside a Windows victim's .git directory - most notably .git/hooks/pre-commit.exe - which executes on the next commit. The flaw stems from the NTFS path-element validator accepting Windows-hostile bytes (\, :, and git~<n> 8.3 short-name aliases) plus broken handling of core.protectNTFS/core.protectHFS configuration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the technique is closely modeled on the well-documented Git CVE-2019-1353/1354 class.

Microsoft RCE Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-4944 HIGH This Week

Remote code execution in vLLM 0.14.1 occurs because `trust_remote_code=True` is hardcoded inside the NemotronVL and KimiK25 model loaders, silently overriding the operator's explicit `--trust-remote-code=False` safety flag. Any deployment that loads a malicious or compromised HuggingFace repository for these model architectures will execute attacker-controlled Python in the inference process, despite UI:R requiring an operator to initiate the model load. No public exploit is identified at time of analysis, but the issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, indicating the regression pattern is already well understood.

RCE Path Traversal Vllm Project Vllm
NVD VulDB
CVSS 3.0
8.8
EPSS
0.1%
CVE-2026-10016 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows attackers to run arbitrary code inside the browser's renderer sandbox through a crafted HTML page that triggers a use-after-free condition in the DOM implementation. The flaw, rated High severity by Chromium and carrying a CVSS 8.8 score, requires only that a victim visit a malicious or compromised webpage, making it well-suited for drive-by attacks despite no public exploit identified at time of analysis.

Use After Free RCE Memory Corruption Google Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10015 HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the WTF (Web Template Framework) component, exploitable when a victim visits a crafted HTML page. The flaw carries a CVSS 8.8 (High) rating and Chromium-assigned High severity, requires user interaction (UI:R) to load the malicious page, and no public exploit identified at time of analysis. While code execution is constrained to the renderer sandbox, this remains a strong primitive for chaining with sandbox escapes in real-world exploit kits.

Google RCE Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10007 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the SVG rendering component, allowing remote attackers to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. Rated High severity by the Chromium project with a CVSS score of 8.8, the issue requires user interaction (visiting a malicious page) but no authentication. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Use After Free RCE Memory Corruption Google Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9992 HIGH PATCH This Week

Remote code execution in Google Chrome's Network component prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by the Chromium team, and while no public exploit is identified at time of analysis, browser memory-corruption bugs of this class are historically attractive targets when chained with a sandbox escape.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9984 HIGH PATCH This Week

Remote code execution in Google Chrome for Windows versions prior to 148.0.7778.216 stems from a use-after-free condition in the UI component, allowing remote attackers to execute arbitrary code by luring a user to a crafted HTML page. Chromium rated the issue High severity and CVSS 8.8 reflects the network-reachable, low-complexity nature of the bug, tempered only by required user interaction (visiting the malicious page). No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Memory Corruption Use After Free Denial Of Service Microsoft Google +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9978 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 stems from a use-after-free defect in the Glic component, allowing a remote attacker to corrupt memory and execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. Google has rated the Chromium severity as High and shipped a Stable channel update; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS 8.8 score reflects network reachability and user interaction (loading a page), with full impact to confidentiality, integrity, and availability inside the sandboxed process.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9973 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to 148.0.7778.216 allows attackers to execute arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is an out-of-bounds write (CWE-787) rated High by Chromium and CVSS 8.8, requires user interaction to load attacker-controlled content, and no public exploit has been identified at time of analysis.

Google Memory Corruption RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9968 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw stems from an integer overflow (CWE-472, External Control of Assumed-Immutable Web Parameter / integer-handling weakness in V8) rated High severity by Chromium and CVSS 8.8. No public exploit identified at time of analysis, and the bug is not currently listed in CISA KEV.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9957 HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the PDF component that remote attackers can trigger by serving a crafted PDF file. The flaw carries a CVSS 8.8 rating reflecting network reach with required user interaction (opening or rendering a malicious PDF), and no public exploit identified at time of analysis though Google rates the underlying Chromium severity as High.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9947 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the browser's XML handling component, allowing a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the severity as High with a CVSS 3.1 score of 8.8, and exploitation requires user interaction such as visiting a malicious site. No public exploit identified at time of analysis, but use-after-free flaws in Chrome's XML parsing have historically been chained with sandbox escapes for full system compromise.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9945 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to version 148.0.7778.216 allows attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the Media component. Rated High severity by Chromium with a CVSS 8.8 score, the flaw requires user interaction (visiting a malicious page) but no authentication, and no public exploit identified at time of analysis.

Use After Free RCE Memory Corruption Google Microsoft +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9941 HIGH PATCH This Week

Remote code execution in Google Chrome (ANGLE component) prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) rated High severity by Chromium and CVSS 8.8, requiring only that a victim visit a malicious page. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Use After Free RCE Memory Corruption Google Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9928 HIGH PATCH This Week

Remote code execution in Google Chrome for Windows prior to 148.0.7778.216 stems from an out-of-bounds read in the ANGLE graphics abstraction layer, enabling attackers who lure a user to a malicious page to execute arbitrary code in the renderer context. Chromium rates the severity High and CVSS scores it 8.8 due to network reach and high impact across confidentiality, integrity, and availability, though successful exploitation requires user interaction (visiting the crafted page). No public exploit has been identified at time of analysis, but ANGLE bugs have historically been chained into browser sandbox escapes.

Information Disclosure RCE Buffer Overflow Google Microsoft +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9927 HIGH PATCH This Week

Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the browser sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) reported internally by the Chrome team and rated High by Chromium; no public exploit identified at time of analysis, though Chrome UAF bugs in ANGLE are historically attractive targets and pair well with sandbox escapes.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9897 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 148.0.7778.216 enables a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and Google has rated the Chromium severity as High; no public exploit is identified at the time of analysis and the issue is not listed in CISA KEV.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9896 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 148.0.7778.216 allows remote attackers to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page. The flaw is a CWE-787 out-of-bounds write in V8 carrying a CVSS 8.8 (High) with Chromium severity rated High; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Google Memory Corruption RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9883 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code via a crafted HTML page exploiting a use-after-free flaw in the Base component. Chromium classifies the severity as Critical, and Google has shipped a stable channel update; no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a malicious page), which is the typical drive-by browser attack model.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9879 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds write in the ANGLE graphics translation layer, allowing a remote attacker to execute arbitrary code in the browser's renderer context after a victim visits a crafted HTML page. Chromium rates this severity Critical and CVSS scores it 8.8, with vendor patches released via the Stable channel update; no public exploit identified at time of analysis.

Google Memory Corruption RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9878 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in ANGLE, the graphics abstraction layer that translates OpenGL ES calls to native GPU APIs. A remote attacker who lures a user into visiting a crafted HTML page can execute arbitrary code within the renderer sandbox, with Chromium rating the severity as Critical. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9873 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10021 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code in the browser context by luring a victim to a crafted HTML page that abuses insufficient input validation in the WebUSB component. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and Chromium rates it Medium severity; no public exploit identified at time of analysis and it is not currently listed in CISA KEV. A vendor patch shipped via the Chrome Stable channel mitigates the issue.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10013 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the WebCodecs component, allowing a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a malicious HTML page. The issue is rated High severity by Chromium with a CVSS 3.1 score of 8.8, and a vendor patch is available, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV. Successful exploitation requires user interaction (visiting a crafted page), and code execution is constrained to the Chrome sandbox unless chained with a sandbox-escape bug.

Use After Free RCE Memory Corruption Google Denial Of Service +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9995 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the WebXR component, allowing a remote attacker to run arbitrary code within the browser's renderer sandbox by enticing a victim to visit a crafted HTML page. Google rates the underlying Chromium severity as High, and a vendor patch has been released; no public exploit identified at time of analysis.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9962 HIGH PATCH This Week

Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code within the browser sandbox by enticing a victim to load a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High by Chromium's security team, and while no public exploit identified at time of analysis, the CVSS 8.8 score reflects the low-complexity network-based attack vector combined with the high impact across confidentiality, integrity, and availability. User interaction (visiting a malicious page) is required, but otherwise no authentication or privileges are needed.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9952 HIGH PATCH This Week

Remote code execution in Google Chrome's WebAudio component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS score of 8.8 reflecting low attack complexity and no authentication required, though user interaction (visiting a page) is needed. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-9884 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows attackers to exploit a use-after-free flaw in the Browser component via a malicious HTML page. Rated Critical by Chromium's security team with a CVSS of 8.8, exploitation requires user interaction (visiting a crafted page) but no authentication, and no public exploit identified at time of analysis. A vendor patch is available through the Chrome stable channel update.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-49127 HIGH PATCH This Week

Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.

RCE Buffer Overflow Mpd
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-45044 HIGH PATCH This Week

Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Denial Of Service Information Disclosure Authentication Bypass Rustfs
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-9969 HIGH PATCH This Week

Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code on a victim's machine when they visit a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) within ANGLE and carries a CVSS 8.8 rating reflecting network reach with user interaction. No public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.05% (16th percentile), but the high technical impact and Chrome's massive install base warrant prompt patching.

Google RCE Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-46837 HIGH This Week

Full product takeover of Oracle Flow Manufacturing (versions 12.2.9 through 12.2.15) is achievable by a low-privileged remote attacker via SQL-based network access, per Oracle's advisory. The flaw scores CVSS 8.8 with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. As a component of Oracle E-Business Suite, exploitation provides an attacker with control over a business-critical manufacturing execution system.

Oracle Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46827 HIGH This Week

Account takeover in Oracle Payroll (Self Service Manager component) of Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the Payroll module over HTTP. The CVSS 3.1 base score of 8.8 reflects high impacts to confidentiality, integrity, and availability, and Oracle has issued a fix in the May 2026 Critical Patch Update. No public exploit identified at time of analysis.

Oracle Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46826 HIGH This Week

Account takeover in Oracle Payroll (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker with HTTPS network access to fully compromise the Payroll application. The CVSS 8.8 vector indicates low complexity and no user interaction, meaning any authenticated EBS user can pivot to full confidentiality, integrity, and availability impact on Payroll. No public exploit identified at time of analysis, but the issue was disclosed in Oracle's Critical Patch Update advisory and warrants prompt patching given the sensitivity of payroll data.

Oracle Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9999 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers an inappropriate implementation flaw in the ANGLE graphics layer. The issue is rated High by Chromium and carries a CVSS 3.1 score of 8.8 with user interaction required; no public exploit identified at time of analysis and EPSS is low at 0.04%.

Privilege Escalation RCE Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9983 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a type confusion bug in the Skia graphics library. The flaw was reported by the Chrome team and is rated High severity by Chromium; no public exploit has been identified at time of analysis, though browser type-confusion bugs in Skia have historically been weaponized. Exploitation requires user interaction (UI:R) - typically visiting an attacker-controlled or compromised page.

Google Memory Corruption RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9976 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows attackers to run arbitrary code by luring a victim to a crafted HTML page that abuses an inappropriate implementation in the browser's USB subsystem. Chromium rates the severity as High and the CVSS 8.8 vector reflects unauthenticated network exploitation with required user interaction. No public exploit identified at time of analysis, but the vendor has shipped a stable channel patch.

Google RCE Code Injection Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9938 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The Chromium project rates the severity as High and CVSS scores it 8.8 (network-reachable, low complexity, no privileges, user interaction required). No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), suggesting limited near-term mass-exploitation likelihood despite the high impact rating.

Google RCE Code Injection Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9910 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds memory access in the ANGLE graphics translation layer that lets a remote attacker run arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and the EPSS score of 0.04% (12th percentile) indicates very low observed exploitation likelihood at this time.

Google Information Disclosure RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9887 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 148.0.7778.216 allows attackers to exploit a use-after-free condition in the Proxy component via a malicious PAC (Proxy Auto-Config) script delivered through a crafted web page. Chromium rates this as Critical severity, and while no public exploit identified at time of analysis, the EPSS score of 0.04% reflects low predicted exploitation activity despite the high CVSS 8.8 rating. Successful exploitation requires user interaction (UI:R) such as visiting an attacker-controlled page that triggers the vulnerable PAC processing path.

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10019 HIGH PATCH This Week

Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE graphics translation layer, allowing a remote attacker who lures a user to a crafted HTML page to bypass same-origin protections and exfiltrate sensitive data from other domains. The flaw carries a CVSS 8.8 rating due to network reachability and high impact across confidentiality, integrity, and availability, though Chromium itself rates the severity as Medium. EPSS is very low at 0.03% (11th percentile) and no public exploit identified at time of analysis, indicating limited near-term exploitation pressure despite the high CVSS.

Google Information Disclosure Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-10002 HIGH PATCH This Week

Heap corruption in Google Chrome's PDFium component (versions prior to 148.0.7778.216) allows a remote attacker to potentially achieve code execution by tricking a user into opening a crafted PDF file. The flaw is a use-after-free condition rated High severity by Chromium, with no public exploit identified at time of analysis and a low EPSS score (0.03%) suggesting limited near-term mass exploitation despite a CVSS of 8.8. A vendor patch has been released via the Chrome Stable channel update.

Google Use After Free Denial Of Service Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9965 HIGH PATCH This Week

Out-of-bounds write in the ANGLE graphics translation layer of Google Chrome before 148.0.7778.216 allows a remote attacker to trigger heap corruption by luring a user to a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates the severity as High and CVSS scores it 8.8, but EPSS exploitation probability is currently very low (0.03%, 11th percentile) and no public exploit identified at time of analysis. The flaw was reported through Chrome's internal disclosure process and a fixed build is already available from the vendor.

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9961 HIGH PATCH This Week

Heap corruption in Google Chrome's SurfaceCapture component (versions prior to 148.0.7778.216) allows a remote attacker to potentially execute arbitrary code by luring a user to a crafted HTML page. The flaw is a use-after-free issue rated High severity by the Chromium project, with a CVSS score of 8.8 reflecting low complexity and no authentication, though user interaction is required. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the historical pattern of Chrome UAF bugs being weaponized makes patching urgent.

Google Use After Free Denial Of Service Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9958 HIGH PATCH This Week

Heap corruption in Google Chrome's PDFium component before version 148.0.7778.216 lets a remote attacker trigger a use-after-free condition by serving a crafted PDF, opening the door to code execution within the renderer process. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (UI:R) to open or render the malicious document. EPSS is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis, though Chrome PDFium UAFs have a long history of weaponization in browser exploit chains.

Google Use After Free Denial Of Service Memory Corruption Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9923 HIGH PATCH This Week

Heap corruption in Google Chrome's Skia graphics library affects all versions prior to 148.0.7778.216 and can be triggered by a remote attacker hosting a crafted HTML page. Successful exploitation requires user interaction (visiting the page) but yields high confidentiality, integrity, and availability impact within the renderer context. No public exploit is identified at time of analysis and EPSS is very low (0.03%), though Chromium rates the severity as High and a vendor patch is available.

Google Use After Free Denial Of Service Memory Corruption Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
Prev Page 2 of 11 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy