Skip to main content
CVE-2026-20245 HIGH POC KEV THREAT NEWS Act Now

Local privilege escalation in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated netadmin user to execute arbitrary commands as root by uploading a crafted file through the CLI. Cisco has observed limited real-world exploitation that resulted in unauthorized configuration changes being pushed to downstream edge devices, though the issue is not currently listed in CISA KEV and no public exploit code has been identified at time of analysis.

Command Injection Cisco
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.1%
Threat
4.6
CVE-2026-28318 HIGH POC KEV THREAT NEWS Act Now

Remote denial-of-service in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using Content-Encoding: deflate. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and maps to CWE-400 (uncontrolled resource consumption), affecting service availability without compromising confidentiality or integrity; no public exploit identified at time of analysis.

Denial Of Service Serv U
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
Threat
4.5
CVE-2019-25728 HIGH POC This Week

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25730 HIGH POC This Week

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25726 HIGH POC This Week

All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi All In One Video Downloader
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25745 HIGH POC This Week

WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google SQLi WordPress
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25732 HIGH POC This Week

PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25736 HIGH POC This Week

LabF nfsAxe 3.7 Ping Client contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the Host IP field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Labf Nfsaxe
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25735 HIGH POC This Week

AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Allplayer
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25733 HIGH POC This Week

NetShareWatcher 1.5.8.0 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Buffer Overflow Netsharewatcher
NVD Exploit-DB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-25551 HIGH POC This Week

Local privilege escalation in Seagull Software BarTender 2021 R1 through 12.0.1 allows any low-privileged user on the host to gain SYSTEM execution by sending a crafted BinaryFormatter payload to a localhost-bound .NET Remoting endpoint. Publicly available exploit code exists (a YSoSerial.NET-based PoC is published as a GitHub gist), and the issue carries a CVSS 4.0 base score of 8.5 with high confidentiality, integrity, and availability impact. No CISA KEV listing is present, so exploitation is opportunistic rather than confirmed in-the-wild.

Deserialization RCE Bartender 2021
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42824 HIGH POC PATCH NEWS NO ACTION HOSTED Monitor

Information disclosure in Microsoft 365 Copilot allows remote unauthenticated attackers to exfiltrate data via command injection (CWE-77) over the network. Microsoft reported the issue (CVE-2026-42824) with a CVSS 3.1 base score of 7.5 reflecting high confidentiality impact only, and publicly available exploit code exists though it is not listed in CISA KEV. EPSS is very low at 0.08% (24th percentile) and the CISA SSVC decision framework rates exploitation as 'none' and automatable as 'no', suggesting realistic exploitation is currently limited despite the POC.

Command Injection Microsoft 365 Copilot
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-10873 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 firmware allows authenticated remote attackers to execute arbitrary operating system commands by manipulating input to the rstats_path function within the /bin/rstats binary exposed via the Web UI. Publicly available exploit code exists per the Gitee advisory disclosed through VulDB, and the affected project is end-of-life - superseded by FreshTomato - meaning no upstream vendor patch is forthcoming. CVSS 4.0 base score is 7.3 with high privileges required but high confidentiality, integrity, and availability impact on the router.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-10870 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_dhcpc function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists per the VulDB advisory. The project has been discontinued and superseded by FreshTomato, meaning no upstream fix from the original maintainer is expected.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-10872 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary operating system commands via the start_vpnserver function in /sbin/rc, reachable through the Web UI. Publicly available exploit code exists, and the project is end-of-life - superseded by FreshTomato - meaning no upstream patch is forthcoming. The CVSS 4.0 score of 7.3 reflects high impact on confidentiality, integrity, and availability, but high privileges are required to trigger the flaw.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-10871 HIGH POC This Week

OS command injection in Shibby Tomato 1.28.0000 router firmware allows authenticated remote attackers to execute arbitrary shell commands by manipulating the ipv6_6rd_borderrelay argument processed by the start_6rd_tunnel function in /sbin/rc via the Web UI. Publicly available exploit code exists per VulDB disclosure, and the project is end-of-life - superseded by FreshTomato - meaning no upstream fix is expected.

Command Injection Tomato
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2019-25740 HIGH POC This Week

Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Js Jobs
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43984 HIGH PATCH This Week

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when guest access is enabled) to inject HTML/JavaScript into the main application log via the log_js_errors endpoint, which later executes in an administrator's browser when the admin opens the logFile viewer. The flaw enables privilege escalation against the Plex Media Server monitoring tool's admin account. No public exploit identified at time of analysis, but the vendor-published advisory and confirmed patch in 2.17.1 make the issue well-documented.

XSS Python
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-41065 HIGH PATCH This Week

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. Publicly available exploit code exists per SSVC, and the SSVC framework rates this as automatable with total technical impact, though no CISA KEV listing has been confirmed.

Python Ssti RCE Tautulli
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.4%
CVE-2026-10928 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code through a crafted HTML page that triggers script injection in the Headless component. The flaw is rated High severity by Chromium and carries a CVSS 3.1 base score of 8.8, requiring only that a victim load attacker-controlled web content. No public exploit identified at time of analysis, but Google has released a fix in the Stable channel update for desktop.

Code Injection Google RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11076 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a type confusion flaw in the CSS engine that lets a remote attacker run arbitrary code within the renderer sandbox by enticing a victim to load a crafted HTML page. The CVSS 8.8 score reflects network reach with low attack complexity but requires user interaction (UI:R) to visit the malicious page, and no public exploit identified at time of analysis. A vendor patch is available via the Chrome Stable channel update published in June 2026.

Google Memory Corruption RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10962 HIGH PATCH This Week

Remote code execution in Google Chrome before 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page that triggers a type confusion in the Media component. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a page), and while no public exploit has been identified at time of analysis, Chromium-rated High Media bugs have historically been chained with sandbox escapes for full compromise.

Google Memory Corruption RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10936 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows attackers to execute arbitrary code within the renderer sandbox by luring a user to a malicious web page. The flaw stems from a type confusion bug rated High severity by Chromium's security team, and while no public exploit has been identified at time of analysis, V8 type confusion bugs are historically high-value targets for browser exploitation chains. A vendor patch is available.

Google Memory Corruption RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10935 HIGH PATCH This Week

Remote code execution in Google Chrome V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox by serving a crafted HTML page to a victim. The flaw is a type confusion bug (CWE-843) in V8 rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation status 'none' from CISA's framework.

Google Memory Corruption RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10910 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a type confusion bug (CWE-843) rated High severity by Chromium with a CVSS 8.8 score; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. User interaction is required, as the victim must visit attacker-controlled or compromised content.

Google Memory Corruption RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11230 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 149.0.7827.53 stems from a use-after-free flaw in the Extensions component, allowing a remote attacker who tricks a user into visiting a crafted HTML page to execute arbitrary code inside the browser's renderer sandbox. The issue is rated High by NVD (CVSS 8.8) despite Chromium's own Low severity tag, and no public exploit identified at time of analysis. A vendor patch is available via the June 2026 Stable Channel update.

Google Memory Corruption RCE Use After Free Denial Of Service
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11173 HIGH PATCH This Week

Out-of-bounds write in the V8 JavaScript engine of Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to execute arbitrary code within the sandbox via a crafted HTML page. The flaw requires user interaction (visiting a malicious page) and prior renderer compromise, and no public exploit identified at time of analysis. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though Google classifies the Chromium severity as Medium.

Google Memory Corruption Buffer Overflow RCE Red Hat +2
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11171 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine prior to 149.0.7827.53 allows remote attackers to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw stems from an integer overflow (CWE-472) in Blink and carries a CVSS 3.1 score of 8.8; no public exploit identified at time of analysis, though a vendor patch has been released through the Chrome Stable channel update.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11164 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) tagged for RCE and DoS impact, and no public exploit has been identified at time of analysis. CISA SSVC currently lists exploitation as 'none' despite the high CVSS 8.8 score, indicating significant theoretical impact but no observed in-the-wild activity yet.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11136 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows attackers to execute arbitrary code within the renderer sandbox through a use-after-free flaw in the Canvas component. Exploitation requires a victim to visit a crafted HTML page, and no public exploit has been identified at time of analysis. Google rates this as Medium severity internally despite the CVSS 8.8 score, reflecting the sandbox containment limit.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11130 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Media component, allowing a remote attacker who can lure a victim to a crafted HTML page to execute arbitrary code within the renderer sandbox. The high CVSS score of 8.8 reflects the severe impact triad (C:H/I:H/A:H), though exploitation requires user interaction (UI:R) and code execution is contained within Chrome's sandbox boundary. There is no public exploit identified at time of analysis, and SSVC indicates no observed exploitation.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11125 HIGH PATCH This Week

Remote code execution in Google Chrome prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Compositing component. The flaw carries a CVSS 8.8 rating and is tagged as RCE/DoS/memory corruption, though no public exploit identified at time of analysis and Google rates the security severity as Medium. Exploitation is constrained to in-sandbox code execution and requires user interaction (visiting the malicious page).

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11117 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.53 allows a remote attacker to exploit a use-after-free condition in the Views component via a crafted HTML page. The flaw carries a CVSS 3.1 score of 8.8 with network attack vector and requires user interaction (visiting a malicious page), and no public exploit has been identified at time of analysis despite Google's vendor patch being released.

Google Memory Corruption RCE Use After Free Microsoft +4
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11077 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a bad cast in the Dawn WebGPU implementation. The flaw carries a CVSS 8.8 rating with user interaction required (visiting a malicious page), and no public exploit has been identified at time of analysis despite Google rating the underlying Chromium severity as Medium. The vendor has released a patched stable channel build addressing this issue alongside other fixes.

Information Disclosure Google Buffer Overflow RCE Red Hat +2
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11060 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to version 149.0.7827.53 allows a remote attacker to escape memory safety boundaries within the renderer sandbox via a crafted HTML page. The flaw stems from a use-after-free condition in the Media component and requires user interaction (visiting a malicious page); no public exploit has been identified at time of analysis. With a CVSS of 8.8 and confirmed Chromium classification, this is a typical browser memory-corruption bug that historically attracts exploit chains.

Google Memory Corruption RCE Use After Free Microsoft +4
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11059 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) carrying a CVSS 8.8 score, with a vendor patch already shipped via the Chrome stable channel and no public exploit identified at time of analysis.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11055 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.53 allows attackers to run arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the ANGLE graphics layer. The flaw carries a CVSS 8.8 score and requires user interaction (visiting a malicious page), and no public exploit identified at time of analysis. The sandbox containment limits direct system impact, but the bug is a strong candidate for chaining with a sandbox escape.

Google Memory Corruption RCE Use After Free Microsoft +4
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11050 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine before version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue rated CVSS 8.8 (High), and while no public exploit has been identified at time of analysis, V8 bugs of this class are historically high-value targets for exploit chains. SSVC indicates no observed exploitation, but technical impact is total within the sandbox boundary.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11049 HIGH PATCH This Week

Remote code execution in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote attacker to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw stems from a use-after-free memory corruption condition (CWE-416) and carries a CVSS 3.1 score of 8.8. No public exploit identified at time of analysis, but a vendor patch has been released by Google.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11028 HIGH PATCH This Week

Sandbox-contained arbitrary code execution in Google Chrome's Media component affects Linux and ChromeOS builds prior to 149.0.7827.53, where a use-after-free flaw can be triggered via a crafted HTML page. Exploitation requires that the attacker has already compromised the renderer process, meaning this bug functions as a second-stage primitive in a multi-vulnerability chain rather than a standalone RCE. No public exploit identified at time of analysis, and Chromium rates the internal severity as Medium despite the NVD CVSS of 8.8.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11000 HIGH PATCH This Week

Remote code execution in Google Chrome on Linux prior to 149.0.7827.53 allows attackers to execute arbitrary code within the renderer sandbox by luring a user to a malicious web page that triggers a use-after-free condition in the Fonts component. The flaw carries a CVSS 3.1 base score of 8.8 (High) and no public exploit identified at time of analysis, though Chromium memory-corruption issues historically attract rapid POC development. Exploitation requires user interaction (visiting attacker-controlled content) but no authentication.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10991 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows remote attackers to execute arbitrary code inside the renderer sandbox by serving a crafted HTML page and convincing a user to perform specific UI gestures. The flaw is a use-after-free (CWE-416) memory corruption issue with a high CVSS score of 8.8, rated Medium severity by Chromium; no public exploit identified at time of analysis.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10987 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers an integer overflow in the V8 JavaScript engine. The flaw is rated High severity by Chromium and carries a CVSS 8.8 score requiring user interaction (visiting a malicious page). At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV, though Chrome V8 bugs are historically attractive targets for exploit developers.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10986 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by delivering a malicious media file. The flaw is rated High severity by Chromium and carries a CVSS 3.1 score of 8.8, requiring only that a user visit attacker-controlled content or open a crafted media resource. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10978 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to version 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component. A remote attacker can deliver malicious network traffic that, combined with minimal user interaction, allows arbitrary code execution within the browser's renderer context. No public exploit identified at time of analysis, but Google rates the underlying Chromium severity as High.

Google Memory Corruption RCE Use After Free Microsoft +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10965 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers an integer overflow in DevTools. Google has rated this Chromium issue as High severity and a vendor patch is available; no public exploit identified at time of analysis, and the bug is not currently listed in CISA KEV.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10964 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from an integer overflow in the V8 JavaScript engine, enabling a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. The flaw is rated High severity by Chromium with a CVSS score of 8.8, requires user interaction (visiting a malicious page), and no public exploit has been identified at time of analysis. While exploitation is sandboxed, V8 RCE bugs historically chain with sandbox escapes to achieve full host compromise, making this a priority patch for browser fleets.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10963 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google has rated the issue High severity and shipped a stable-channel patch; no public exploit has been identified at time of analysis, and the bug tracker entry remains access-restricted per Chromium's standard disclosure practice.

Google RCE Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10959 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code inside the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free in the Input component, rated High by Chromium and 8.8 by CVSS. No public exploit identified at time of analysis, but Chrome UAF bugs in renderer-reachable components are historically high-value targets for chained sandbox escapes.

Google Memory Corruption RCE Use After Free Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-10958 HIGH PATCH This Week

Remote code execution in Google Chrome for iOS before 149.0.7827.53 allows a remote attacker to execute arbitrary code by enticing a user to visit a crafted HTML page and perform specific UI gestures, triggering a use-after-free condition. Google rates the underlying Chromium issue as High severity, and no public exploit has been identified at time of analysis. The flaw requires user interaction, which somewhat reduces but does not eliminate real-world risk given Chrome's massive install base on iOS.

Google Memory Corruption RCE Apple Use After Free +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy