UI spoofing in Google Chrome on Android prior to 149.0.7827.53 allows remote attackers to misrepresent the Contact Picker security UI via a crafted HTML page, potentially tricking users into disclosing contact information. Chromium rates the underlying severity as Medium, and no public exploit has been identified at time of analysis. EPSS probability is very low (0.03%), and the issue is not listed in CISA KEV.
Heap corruption in Google Chrome versions prior to 149.0.7827.53 stems from an integer overflow in the Skia graphics library that can be triggered by a crafted HTML page. Remote attackers can lure a victim to a malicious web page to potentially achieve arbitrary code execution within the renderer process. No public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.03% (11th percentile), though Chrome rendering bugs historically attract exploit development.
Privilege escalation in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker to escape the browser's normal privilege boundaries by enticing a victim to visit a crafted HTML page that abuses the NFC implementation. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, though Chromium itself classified its security severity as Medium. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis.
Out-of-bounds memory read in the Dawn WebGPU implementation of Google Chrome prior to 149.0.7827.53 allows a remote attacker to access memory outside intended bounds via a crafted HTML page. Exploitation requires the victim to visit an attacker-controlled page, and no public exploit identified at time of analysis. Google rates the Chromium-internal severity as Medium, while NVD assigns CVSS 8.8 reflecting the broad impact on confidentiality, integrity, and availability if successfully triggered.
Out-of-bounds memory access in Google Chrome on Android before version 149.0.7827.53 allows remote attackers to corrupt GPU process memory by luring a user to a crafted HTML page that triggers an integer overflow. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, but EPSS is only 0.03% and no public exploit identified at time of analysis, suggesting low near-term mass-exploitation likelihood despite the severity of the underlying bug class.
Information disclosure in Google Chrome on Linux prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read sensitive data from process memory by serving a crafted HTML page that triggers a use-after-free in the Base component. The flaw is rated Medium by Chromium but scored CVSS 8.8 in NVD, and no public exploit identified at time of analysis with an EPSS of 0.03%.
Heap corruption in Google Chrome's Views component prior to version 149.0.7827.53 allows a remote attacker to potentially execute code in the renderer when a user is convinced to perform specific UI gestures on a crafted HTML page. The flaw is a use-after-free (CWE-416) carrying a CVSS 8.8 rating, but EPSS is very low at 0.03% (11th percentile) and no public exploit is identified at time of analysis. Google has shipped a patched stable channel build, and Chromium rates the underlying issue as Medium severity.
Remote heap corruption in Google Chrome prior to 149.0.7827.53 allows attackers to exploit a use-after-free condition in the Network component via crafted network traffic when a user visits or interacts with attacker-controlled content. Rated CVSS 8.8 with a patch available from Google, though EPSS exploitation probability is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis.
Heap corruption in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a user visits a crafted HTML page and performs specific UI interactions. The flaw is rated High severity by Chromium and CVSS 8.8, though no public exploit identified at time of analysis and EPSS scoring places near-term mass exploitation probability at 0.03%. A vendor patch is already available through the Stable Channel update.
Sandbox escape in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free in the Views component, triggered by a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).
Type confusion in the ANGLE graphics translation layer of Google Chrome on Windows prior to 149.0.7827.53 enables remote attackers to trigger out-of-bounds memory access through a crafted HTML page, with potential for memory corruption leading to code execution in the renderer process. Chromium rates this High severity and a vendor patch is available, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently 0.03%.
Heap corruption in Google Chrome on iOS before version 149.0.7827.53 enables remote attackers to potentially execute arbitrary code by enticing a user to interact with a malicious HTML page that triggers a use-after-free in the Autofill component. Chromium rates the underlying flaw as High severity, and while a vendor patch is available, no public exploit has been identified at time of analysis and EPSS remains very low at 0.03%.
Sandbox escape in Google Chrome's GPU component prior to version 149.0.7827.53 allows remote attackers to break out of the renderer sandbox via a crafted HTML page when a user visits a malicious site. Google's Chromium team rated the underlying issue Critical severity, and while a patch is available, no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.03%.
Arbitrary code execution within the Chrome sandbox affects Google Chrome desktop builds prior to 149.0.7827.53 due to an inappropriate implementation in the Isolated Web Apps (IWA) component. A remote attacker who convinces a user to open a malicious file can execute code confined to the sandbox process, with no public exploit identified at time of analysis and an EPSS score of only 0.03% (10th percentile) indicating low predicted exploitation likelihood. Google has shipped a fix in the stable channel update for desktop.
Heap corruption in Google Chrome for Android's WebView component prior to version 149.0.7827.53 allows remote attackers to potentially execute code or crash the browser by luring victims to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated CVSS 8.8 due to network reach and high impact across confidentiality, integrity, and availability, though user interaction is required. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).
Stack-based buffer overflow in the Skia graphics library shipped with Google Chrome versions prior to 149.0.7827.53 lets a remote attacker corrupt the renderer process stack by serving a crafted HTML page, with potential for arbitrary code execution within the sandbox. The flaw carries a CVSS 3.1 base score of 8.8 (network vector, user interaction required) and no public exploit identified at time of analysis, while a very low EPSS score of 0.03% (10th percentile) suggests no current mass-exploitation pressure despite the high impact rating.
Heap corruption in Google Chrome's TabStrip component before 149.0.7827.53 lets a remote attacker who can lure a user into specific UI interactions on a malicious HTML page trigger memory corruption with high impact to confidentiality, integrity, and availability. The flaw carries a CVSS 8.8 due to network reachability and lack of authentication, though user interaction is required; there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Same-origin policy bypass in Google Chrome's DevTools component prior to version 149.0.7827.53 allows remote attackers to violate browser security boundaries when victims perform specific UI gestures on attacker-controlled pages. The flaw stems from insufficient validation of untrusted input within DevTools and is rated High severity by Chromium with a CVSS of 8.8, though no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Site isolation bypass in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to circumvent a core browser security boundary via a crafted HTML page. The flaw resides in the Opaque Response Blocking (ORB) implementation and requires user interaction (visiting a malicious page), with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating low near-term exploitation likelihood.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free condition in the ServiceWorker component that can be triggered by a malicious browser extension. An attacker who convinces a user to install a crafted Chrome Extension can achieve arbitrary code execution within the renderer context. No public exploit has been identified at time of analysis and EPSS exploitation probability is very low at 0.01%, but the high CVSS score (8.8) reflects the severe potential impact.
Arbitrary code execution in Google Chrome for Android prior to 149.0.7827.53 stems from a use-after-free flaw in the WebAppInstalls component, triggered when a victim opens a malicious file. Although the CVSS vector lists a network attack vector with high impact across confidentiality, integrity, and availability, exploitation requires user interaction and no public exploit identified at time of analysis. EPSS probability is very low (0.01%) and SSVC indicates no observed exploitation, suggesting the immediate threat is limited despite the High severity rating from Chromium.
Privilege escalation in Google Chrome DevTools versions prior to 149.0.7827.53 allows attackers to abuse insufficient policy enforcement through a malicious browser extension. The flaw requires user interaction to install a crafted extension, after which the attacker can gain elevated privileges within the browser context. No public exploit identified at time of analysis, and EPSS scoring (0.01%) indicates very low near-term exploitation probability despite the high CVSS rating.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows an attacker on the same local network segment (adjacent network) to execute arbitrary code by sending malicious traffic to the browser's Cast component. The flaw stems from a use-after-free memory corruption issue in the Cast feature (used for media streaming to devices like Chromecast) and is rated High severity by Chromium with a CVSS score of 8.8. No public exploit identified at time of analysis, though a vendor patch has been released.
Remote code execution in Google Chrome's Cast Streaming component (versions prior to 149.0.7827.53) allows an attacker on the same local network segment to execute arbitrary code by sending malicious network traffic to a vulnerable browser. The flaw is rated Critical by the Chromium project and carries a CVSS 3.1 score of 8.8, with no public exploit identified at time of analysis.
Heap corruption in Google Chrome's Cast component prior to version 149.0.7827.53 allows adjacent-network attackers to trigger a use-after-free condition through crafted network traffic, potentially leading to arbitrary code execution within the renderer. Chromium rates the underlying severity as Critical, and no public exploit identified at time of analysis, though the AV:A vector means any attacker sharing the victim's LAN or Wi-Fi segment can attempt exploitation without authentication or user interaction.
Cross-site request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to hijack administrator accounts by tricking an authenticated admin into visiting a malicious page. The `/configUpdate` endpoint accepts state-changing requests without enforcing POST or validating anti-CSRF tokens, and because the session cookie uses SameSite=Lax it remains attached to top-level cross-site navigations. No public exploit identified at time of analysis, but the fix is explicitly called out in the v2.17.1 release notes.
Authorization bypass in Kurt Software Studio WriteUp Mobile App versions 1.3.0 through 04062026 allows authenticated users to access functionality outside their permitted scope, leading to high confidentiality, integrity, and availability impact. The flaw, reported by Turkey's national CERT (TR-CERT), stems from missing ACL enforcement on application functions reachable over the network with low privileges. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Public exposure of telemetry data affects Acer Connect M6E 5G Portable WiFi Router, where misconfigured cloud storage containers leave active device telemetry readable from the internet without authentication. Remote unauthenticated parties can harvest sensitive operational data per the CVSS 4.0 vector (AV:N/PR:N/UI:N, VC:H), and no public exploit identified at time of analysis. The 8.7 CVSS score reflects the high confidentiality impact even though integrity and availability are unaffected.
Information disclosure in the Acer Connect M6E 5G Portable WiFi Router (firmware versions up to and including M6E_AI_1.00.000019) stems from hard-coded, non-expiring credentials embedded in the companion APK that are shared across all deployments. Remote attackers can extract these static secrets from any copy of the application and use them to access sensitive router data without authentication, and no public exploit identified at time of analysis.
Mass user data harvesting on the Acer Connect M6E 5G Portable WiFi Router is possible because the unauthenticated /v1/User/validate endpoint returns full user profile sheets keyed by predictable identifier strings. Remote attackers can iterate through identifiers to scrape every account's profile data without credentials, and no public exploit identified at time of analysis though the trivial attack pattern makes weaponization straightforward.
Unauthenticated root command execution affects the Acer Connect M6E 5G Portable WiFi Router through firmware M6E_AI_1.00.000019, where the ai_cmd utility runs with root privileges and passes socket input directly to popen(). Adjacent-network attackers (anyone on the WiFi or LAN segment) can issue arbitrary shell commands as root with no authentication. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact on the device itself.
Command injection in Cloud Foundry BOSH Director (all versions prior to v282.1.12) allows an authenticated release uploader to achieve arbitrary OS command execution on the Director by embedding shell metacharacters in the jobs[].name field of a release.MF manifest inside an uploaded tarball. The unsafe value flows from ReleaseJob#unpack into a /bin/sh -c invocation via Bosh::Common::Exec.sh, so payloads such as $(...) or ; are interpreted by the shell during release unpacking. No public exploit identified at time of analysis; no CISA KEV listing, but the Cloud Foundry Foundation has published an advisory and a fixed release.
Denial of service in Arista EOS devices with IPsec configured allows remote unauthenticated attackers to halt all IPsec traffic processing by sending a specially crafted packet. The control plane's recovery attempt via pipeline reset may itself fail to restore traffic flow, producing a persistent outage of IPsec-protected communications until manual intervention. No public exploit identified at time of analysis, but the vulnerability was reported by an Arista customer, suggesting it was discovered through real-world operational impact rather than theoretical research.
Command injection in Cloud Foundry BOSH versions prior to v282.1.12 allows an attacker who can upload a release tarball to execute arbitrary shell commands on the BOSH Director host by embedding shell metacharacters in the package name field of the release.MF manifest. The flaw stems from PackagePersister.validate_tgz interpolating the unsanitized name into a `tar -tf` invocation executed through `/bin/sh -c`, with model-level validation occurring only after the shell-out. No public exploit identified at time of analysis, and the bug is not listed in CISA KEV.
Credential disclosure in GX Earth ONT (Optical Network Terminal) devices allows remote attackers positioned on the network path to capture administrative authentication material by sniffing the unencrypted HTTP web management interface. The flaw scores CVSS 4.0 8.7 (High) with CWE-319 (Cleartext Transmission of Sensitive Information), and no public exploit identified at time of analysis, though interception techniques are well-understood and trivial to execute on shared media.
Authenticated remote command injection in GX Earth ONT (Optical Network Terminal) devices allows attackers with valid web management credentials to execute arbitrary OS commands as root via multiple diagnostic functions in the device's web interface. The flaw, reported by CERT-In and tracked as CIVN-2026-0288, carries a CVSS 4.0 score of 8.7 (High) reflecting low attack complexity and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Hardcoded RSA private key in GX Earth 2022 ONT (Optical Network Terminal) firmware allows remote attackers to extract the embedded cryptographic material and decrypt HTTPS sessions or perform man-in-the-middle attacks against device management traffic. CERT-In disclosed the issue (CIVN-2026-0288) affecting multiple GX India fiber ONT models and firmware versions, with no public exploit identified at time of analysis but SSVC flagging the flaw as fully automatable once the key is recovered.
Authentication bypass on the local MQTT broker of the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) allows any connected client to subscribe with wildcard topics (# or +) and either enumerate hidden network devices or publish rogue control commands. CVSS 4.0 rates this 8.6 (High) with network attack vector and high confidentiality/integrity/availability impact; no public exploit identified at time of analysis and the issue is not in CISA KEV.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a local attacker to break out of the browser sandbox via a crafted AppleScript command targeting the Downloads component. The flaw stems from insufficient input validation (CWE-20) and is rated CVSS 8.6 due to scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (4th percentile).
Command injection in Acer Connect M6E 5G Portable WiFi Router allows authenticated adjacent-network attackers to execute arbitrary OS commands by submitting VPN network profile configuration files containing unsanitized special characters. The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the router, though exploitation requires high privileges and adjacent (not internet-facing) network access. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Local privilege escalation in Forcepoint VPN Client for Windows versions 6.11.3 and prior allows an authenticated low-privileged local user to elevate to SYSTEM. The flaw stems from execution with unnecessary privileges (CWE-250) and carries a CVSS 4.0 score of 8.5, but no public exploit identified at time of analysis. The vulnerability was reported and disclosed by Forcepoint PSIRT itself rather than a third party.
Local privilege abuse in the Acer Connect M6E 5G Portable WiFi Router lets installed applications smuggle raw AT commands across the Android system Binder boundary, where they are forwarded to the cellular baseband without verification. Up to and including firmware M6E_AI_1.00.000019, low-privileged local apps can read sensitive baseband files (IMSI, configuration blobs) and disable cellular connectivity, with no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤M6E_AI_1.00.000019) allows low-privileged local software components to invoke administrative operations via an unprotected Broadcast Receiver. CVSS 4.0 scores this 8.5 (High) with local attack vector and low privileges required, and no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting an uninitialized memory use in the Codecs component. Google has rated this Chromium security severity as High, and no public exploit has been identified at time of analysis. The flaw requires chaining with a separate renderer compromise, but combined with a renderer RCE it enables full host code execution outside Chrome's sandbox.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the Chrome sandbox via a crafted HTML page that triggers a use-after-free in the SurfaceCapture component. The flaw is rated High severity by Chromium and carries a CVSS 3.1 score of 8.3 with scope change, reflecting that successful exploitation crosses the renderer/browser security boundary. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Sandbox escape in Google Chrome for iOS before 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free condition. The flaw is rated High severity by Chromium and has a CVSS score of 8.3, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV. Successful exploitation typically requires chaining with a separate renderer-compromise primitive, raising the practical bar.
Sandbox escape in Google Chrome on Android versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw stems from a use-after-free condition in the Core component and is rated High severity by Chromium with a CVSS of 8.3. No public exploit identified at time of analysis, though the bug enables a critical post-exploitation chain step when paired with a renderer RCE.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker who already controls the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Autofill component. Chromium rates the severity High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Sandbox escape in Google Chrome on Windows before 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out via a use-after-free in the Audio component when a victim loads a crafted HTML page. Chromium rates the issue High severity and Google has shipped a stable-channel fix, but no public exploit identified at time of analysis and the bug is not listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 can be achieved by remote attackers who have already compromised the renderer process, leveraging an out-of-bounds read in the Dawn WebGPU implementation via a crafted HTML page. Google rates this as High severity and a vendor patch is available, though no public exploit has been identified at time of analysis. The bug is part of a multi-stage exploitation chain rather than a single-step RCE, but successful chaining yields full escape from Chrome's renderer sandbox.