Use-after-free in Google Chrome's WebGL component (prior to 149.0.7827.53) exposes process memory to remote attackers who can lure a user to a crafted HTML page. The vulnerability is limited to confidentiality - CVSS C:H/I:N/A:N - meaning an attacker can read potentially sensitive data from Chrome's process memory but cannot write or crash the process per the scored vector. No public exploit has been identified at time of analysis, and EPSS sits at 0.03% (10th percentile), indicating low observed exploitation pressure. Google has shipped a fix in the stable channel release 149.0.7827.53.
Uninitialized memory read in Chrome's WebML component on macOS exposes potentially sensitive process memory contents to remote attackers. Affected are all Chrome versions prior to 149.0.7827.53 on Mac; exploitation requires convincing a user to visit a specially crafted HTML page. No public exploit code or active exploitation (CISA KEV) has been identified, and the EPSS score of 0.03% (10th percentile) reflects low real-world exploitation likelihood at time of analysis.
Heap-based buffer overflow in the Skia graphics rendering library within Google Chrome versions prior to 149.0.7827.53 enables remote attackers to read sensitive data from renderer process memory. Exploitation requires no authentication (PR:N) but does require user interaction - a victim must visit a specially crafted HTML page - and yields high confidentiality impact (C:H) with no integrity or availability impact per the CVSS vector. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates very low current exploitation probability; CISA KEV active exploitation status is not confirmed.
SQL injection in MasterStudy LMS Pro Plus for WordPress exposes database contents to authenticated instructors through the unsanitized 'columns' parameter, affecting all versions up to and including 4.8.20. The vulnerability stems from insufficient input escaping and absent parameterized query preparation, enabling authenticated attackers with at minimum instructor-level access to append arbitrary SQL to existing queries and extract sensitive data. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk for multi-tenant LMS deployments where instructors are semi-trusted external parties.
Same-origin policy bypass in Google Chrome's Network component (versions prior to 149.0.7827.53) enables a post-compromise attacker who already controls the renderer process to subvert cross-origin enforcement via a crafted HTML page. The CVSS integrity impact is rated High (I:H), but exploitation is gated behind a required renderer-process pre-compromise, substantially raising the real-world attack bar. No public exploit code exists and no CISA KEV listing is present; EPSS stands at 0.02% (6th percentile), consistent with Google's own Low severity rating for this issue.
Site isolation bypass in Google Chrome's Navigation component allows a remote attacker who has already compromised the renderer process to break Chrome's cross-origin security boundary via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The CVSS vector (I:H) reflects high integrity impact against protected origins, but the real-world risk is substantially gated by the prerequisite of renderer process compromise - a condition Google itself rates as 'Low' severity in Chromium's internal classification. No public exploit code or CISA KEV listing has been identified at time of analysis.
Same-origin policy bypass in Google Chrome's FileSystem API implementation affects all desktop versions prior to 149.0.7827.53, exploitable by a remote attacker who has already achieved renderer process compromise. Delivering a crafted HTML page to a victim who interacts with it triggers the flaw, resulting in high-integrity cross-origin impact with no confidentiality or availability consequence. No public exploit code exists and EPSS sits at 0.02% (6th percentile), but the integrity impact and its role as a renderer-escape pivot make it relevant to multi-stage exploitation chains.
Same-origin policy bypass in the Cast component of Google Chrome (prior to 149.0.7827.53) enables a remote unauthenticated attacker to violate cross-origin integrity protections via a crafted HTML page, requiring only that the target user visit the attacker-controlled page. The CVSS vector confirms high integrity impact with no confidentiality or availability consequence, indicating the attack allows unauthorized cross-origin writes or data manipulation rather than information disclosure. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) signals low observed exploitation interest despite the medium-severity Chromium classification.
Subresource Integrity (SRI) policy enforcement failure in Google Chrome prior to 149.0.7827.53 enables remote attackers to bypass Content Security Policy protections via malicious network traffic. Affected users who visit attacker-influenced pages may have tampered scripts or resources loaded without the expected cryptographic hash validation that SRI is designed to enforce, undermining integrity guarantees that web applications depend on as a security boundary. No active exploitation is confirmed (not in CISA KEV), EPSS is very low at 0.02% (6th percentile), and a vendor patch is available at 149.0.7827.53.
Same-origin policy bypass in Google Chrome's WebAppInstalls component allows a remote attacker who has already compromised the renderer process to circumvent cross-origin protections via a crafted HTML page, yielding high integrity impact with no confidentiality or availability loss. All Chrome versions prior to 149.0.7827.53 are affected. No public exploit code has been identified and EPSS places this at the 6th percentile (0.02%), indicating very low observed exploitation probability; this is not listed in CISA KEV.
Same-origin policy bypass in Google Chrome DevTools (versions prior to 149.0.7827.53) enables a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. The flaw stems from insufficient input validation (CWE-20) within the DevTools component, yielding a High integrity impact while leaving confidentiality and availability unaffected. No public exploit code exists at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating low observed exploitation pressure; this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Same origin policy bypass in Google Chrome's Network component (prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to exfiltrate or manipulate cross-origin data via a crafted HTML page. The integrity impact is rated High (I:H) with no confidentiality or availability impact, meaning the primary risk is unauthorized cross-origin writes or request forgery rather than data theft. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating low observed exploitation probability despite the medium CVSS score.
Same-origin policy bypass in Google Chrome's DevTools component (all versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to bypass SOP protections via a crafted HTML page, resulting in a high-integrity impact with no confidentiality or availability loss. The attack requires user interaction (victim must visit a malicious page) and a prior renderer process compromise as a chained prerequisite, materially constraining real-world exploitability beyond the raw CVSS score implies. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; EPSS probability stands at 0.02% (6th percentile), consistent with a low-probability exploitation scenario.
Site isolation bypass in Google Chrome prior to 149.0.7827.53 enables a remote attacker - who has already compromised the renderer process - to escape cross-origin protections via a crafted HTML page. The vulnerability stems from inappropriate handling of the Input component (CWE-20: Improper Input Validation) within Chromium's renderer, allowing crafted input to undermine the site isolation security boundary and produce high-integrity impact against cross-origin resources. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.02% (6th percentile), consistent with the renderer pre-compromise prerequisite that constrains standalone exploitation.
Same-origin policy bypass in Google Chrome's Extensions component prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to perform unauthorized cross-origin actions via a crafted HTML page. The vulnerability stems from insufficient input validation (CWE-20) in the Extensions subsystem and carries a CVSS integrity impact of High with no confidentiality or availability loss. No active exploitation has been confirmed - EPSS sits at 0.02% (6th percentile), SSVC exploitation status is 'none', and the CVE is not listed in CISA KEV - but a vendor-released patch is available.
Same-origin policy bypass in the PreviewTab component of Google Chrome for Android (versions prior to 149.0.7827.53) enables a remote unauthenticated attacker to violate cross-origin isolation and corrupt content integrity. Exploitation requires social engineering - the victim must visit a crafted HTML page and be manipulated into performing specific UI gestures within the PreviewTab interface. The CVSS vector scores high integrity impact (I:H) with no confidentiality or availability impact, indicating an attacker can alter or inject content across origin boundaries but cannot directly exfiltrate data. No public exploit code or CISA KEV listing has been identified; EPSS sits at 0.02% (4th percentile), reflecting very low current exploitation probability.
Site isolation bypass in Google Chrome's Fenced Frames component allows an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53 on desktop platforms. No public exploit code has been identified at time of analysis, and EPSS sits at a low 0.02% (4th percentile), consistent with Chromium's own 'Low' severity rating despite the 6.5 CVSS score - real-world risk is contingent on a separate, preceding renderer exploit.
Safe Browsing bypass in Google Chrome prior to 149.0.7827.53 allows a remote attacker to circumvent discretionary access control protections by delivering a specially crafted RAR file to a victim who interacts with it. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms no authentication or elevated privileges are required on the attacker side, but exploitation depends on user interaction - the victim must engage with the malicious RAR file. The integrity impact is rated High (I:H) with no confidentiality or availability impact, indicating the primary risk is bypassing file-based access controls enforced by the Safe Browsing subsystem. No public exploit identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low observed exploitation probability.
Navigation restriction bypass in Google Chrome for iOS (versions prior to 149.0.7827.53) exploits an inappropriate implementation within the Signin component, enabling a remote attacker to circumvent navigation controls by delivering a crafted HTML page to a victim. Per CVSS (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N), no authentication is required by the attacker, but user interaction is necessary - the victim must visit or load the malicious page. No public exploit has been identified at time of analysis, SSVC reports exploitation as none, and the EPSS score of 0.02% (4th percentile) indicates very low likelihood of opportunistic exploitation; nevertheless, the high integrity impact warrants prompt patching on all managed iOS Chrome deployments.
Same-origin policy bypass in Google Chrome's Workers subsystem (versions prior to 149.0.7827.53) permits a remote attacker who has already compromised the renderer process to circumvent cross-origin restrictions via a crafted HTML page, resulting in high-severity integrity impact (CVSS I:H). The flaw, rooted in insufficient policy enforcement (CWE-284), functions as a second-stage chained exploit rather than an initial access vector, requiring renderer compromise as a prerequisite. No active exploitation has been identified (SSVC: exploitation none; EPSS 0.02%), and a vendor-released patch is available as of Chrome 149.0.7827.53.
Insufficient policy enforcement in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote, unauthenticated attacker to bypass discretionary access control by delivering a crafted HTML page to a victim. Per the CVSS vector (C:N/I:N/A:H), the confirmed impact is high availability disruption - notably not credential exfiltration - suggesting the bypass degrades or denies Password Manager functionality rather than exposing stored credentials. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating no widespread exploitation pressure at time of analysis.
Navigation restriction bypass in Google Chrome DevTools (all versions prior to 149.0.7827.53) enables circumvention of browser navigation controls through a crafted malicious Chrome Extension. Exploitation requires convincing a target user to install the malicious extension, placing this firmly in social-engineering territory rather than opportunistic mass exploitation. EPSS is extremely low at 0.02% (4th percentile), no public exploit code has been identified, and there is no CISA KEV listing, making this a moderate-priority integrity-only issue despite the CVSS 6.5 score.
Same-origin policy bypass in Google Chrome's Paint component prior to version 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin integrity protections by inducing a user to visit a crafted HTML page. The flaw stems from insufficient policy enforcement in the Paint subsystem (CWE-639), enabling an attacker to write or manipulate content across origin boundaries, resulting in high integrity impact with no confidentiality or availability loss per the CVSS vector. No public exploit code has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates very low current exploitation probability.
Insufficient policy enforcement in Google Chrome's Autofill subsystem (versions prior to 149.0.7827.53) enables remote unauthenticated attackers to bypass discretionary access control, resulting in high-integrity impact when a victim visits a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/I:H) confirms the attack is network-delivered, low-complexity, and requires no privileges, though user interaction is a prerequisite. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects low observed exploitation pressure.
Insufficient same-origin policy enforcement in Google Chrome's Paint rendering component (prior to 149.0.7827.53) allows unauthenticated remote attackers to bypass SOP boundaries via a crafted HTML page, resulting in high integrity impact against the victim's browser context. The attack requires user interaction (visiting a malicious page) but no authentication or elevated privileges. No public exploit code has been identified and no CISA KEV listing exists at time of analysis; EPSS is extremely low at 0.02% (4th percentile), indicating limited observed exploitation activity in the wild.
Same-origin policy bypass in Google Chrome's Paint component (all versions prior to 149.0.7827.53) enables a remote unauthenticated attacker to violate cross-origin integrity protections by delivering a crafted HTML page to a victim. The CVSS vector (AV:N/AC:L/PR:N/UI:R/I:H) confirms network-based, low-complexity exploitation with no privilege requirement, though victim interaction - visiting the attacker's page - is mandatory. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity; this is not listed in CISA KEV.
Same-Origin Policy bypass in Google Chrome's Canvas implementation affects all versions prior to 149.0.7827.53, allowing a remote unauthenticated attacker to violate cross-origin integrity guarantees through a crafted HTML page. The vulnerability carries a High integrity impact (I:H) with no confidentiality or availability consequence, meaning an attacker can write or manipulate cross-origin data rather than read it. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (4th percentile) suggests minimal observed exploitation pressure currently.
Same-origin policy bypass in Google Chrome prior to 149.0.7827.53 enables remote unauthenticated attackers to violate cross-origin isolation boundaries through a crafted HTML page, producing high integrity impact with no confidentiality or availability loss. Rooted in an inappropriate DOM implementation (CWE-346: Origin Validation Error), the flaw allows a malicious page to cross origin boundaries and manipulate content or state belonging to a different origin. No public exploit code and no CISA KEV listing exist at time of analysis; the EPSS score of 0.02% (4th percentile) reinforces limited real-world exploitation pressure despite the medium CVSS 6.5 rating.
Content Security Policy bypass in Google Chrome for Android prior to 149.0.7827.53 allows a remote attacker to circumvent CSP restrictions by delivering a crafted HTML page to a victim user. The flaw resides in Chrome's Navigation subsystem, where policy enforcement is insufficient, enabling injection or execution of content that CSP headers would otherwise block. No public exploit has been identified at time of analysis, and EPSS sits at the 4th percentile, but the zero-privilege-required, network-accessible attack surface warrants prompt patching on Android deployments.
Navigation restriction bypass in Google Chrome prior to version 149.0.7827.53 enables a remote, unauthenticated attacker to circumvent browser navigation policies by delivering a crafted HTML page to a victim. The flaw resides in the 'Actor' component of the Chromium engine, where policy enforcement is insufficient, leading to a high-integrity-impact breach (CVSS I:H) without any compromise of confidentiality or availability. No public exploit code and no active exploitation have been identified at time of analysis; EPSS stands at 0.02% (4th percentile), reinforcing a currently low real-world exploitation probability.
Navigation restriction bypass in Google Chrome's Link Preview feature allows a remote attacker who has already compromised the renderer process to circumvent intended browsing boundaries via a crafted HTML page. All Chrome versions prior to 149.0.7827.53 on desktop are affected. The real-world threat is as a second-stage exploitation primitive within a browser attack chain - an attacker leverages this CWE-284 flaw to escape navigation controls after gaining an initial foothold in the renderer, achieving high integrity impact with no confidentiality or availability loss. No public exploit code has been identified and EPSS stands at 0.02% (4th percentile), indicating low observed exploitation probability at time of analysis.
Same Origin Policy bypass in Google Chrome's Workers implementation (versions prior to 149.0.7827.53) allows an unauthenticated remote attacker to violate cross-origin integrity boundaries by luring a victim to a crafted HTML page. The CVSS vector confirms no privileges are required but user interaction is necessary, yielding a High integrity impact with no confidentiality or availability consequence. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), indicating no confirmed active exploitation at time of analysis.
Same-origin policy bypass in Google Chrome's Passwords component prior to version 149.0.7827.53 allows remote attackers to access cross-origin resources via a crafted HTML page that a victim must visit. Rated High severity by Chromium with a CVSS of 8.1, the flaw enables exposure or modification of sensitive data across origin boundaries when a user is lured to attacker-controlled content. EPSS probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, but a vendor patch is available.
Discretionary access control bypass in Google Chrome's Extensions subsystem affects all versions prior to 149.0.7827.53, enabling integrity compromise without exposing confidential data. Exploitation requires convincing a target user to install a crafted malicious Chrome Extension, placing social engineering at the center of any attack path. No public exploit code exists and no active exploitation has been confirmed; EPSS sits at 0.01% (1st percentile), indicating very low observed exploitation probability at time of analysis.
Out-of-bounds read in Chrome's GWP-ASan memory safety subsystem (versions prior to 149.0.7827.53) enables a local attacker to disclose potentially sensitive contents from process memory by delivering a malicious file to the target. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact but no integrity or availability impact, consistent with a pure information-disclosure class. No public exploit code has been identified at time of analysis, EPSS exploitation probability is extremely low at 0.01% (1st percentile), and SSVC assessment confirms no known active exploitation, collectively indicating a low near-term threat priority despite the notable confidentiality impact rating.
Cross-origin data leakage via an inappropriate CSRF-class implementation in Google Chrome's Payments component on Android prior to 149.0.7827.53 allows network-delivered exploitation when a victim visits a crafted HTML page. The confidentiality impact is rated High by CVSS (C:H), as sensitive payment-related data from one origin can be exposed to an attacker-controlled page. No public exploit has been identified at time of analysis and the EPSS score of 0.01% (1st percentile) indicates a low probability of in-the-wild exploitation, making this a medium-priority patch rather than an emergency response item.
Out-of-bounds heap read in Google Chrome's Extensions component on Linux exposes sensitive process memory to a malicious extension author. Affected versions are Chrome on Linux prior to 149.0.7827.53; Windows and macOS are not listed as affected. Exploitation requires convincing a target user to install a crafted malicious extension, limiting exposure compared to the CVSS 6.5 score implies - no public exploit identified at time of analysis, and EPSS of 0.01% (1st percentile) reflects low current exploitation probability.
Same-origin policy bypass in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) allows an attacker who socially engineers a user into installing a crafted malicious extension to violate cross-origin boundaries, enabling unauthorized integrity impact against content from other origins. The CVSS vector (I:H, C:N) confirms the impact is write/modify-only - sensitive data exfiltration is not a direct consequence. No public exploit code or active exploitation has been identified at time of analysis; EPSS is negligible at 0.01% (1st percentile), consistent with the social-engineering prerequisite limiting mass exploitation.
Navigation restriction bypass in Google Chrome's Extensions subsystem (all versions prior to 149.0.7827.53) enables circumvention of browser-enforced navigation controls when a user installs a crafted malicious extension. Rooted in CWE-284 (Improper Access Control), the flaw allows the extension to override navigation guards - potentially enabling unauthorized redirects or bypass of URL-based security policies - with a high integrity impact per CVSS (I:H). No public exploit has been identified at time of analysis, EPSS is 0.01% (1st percentile), and the vulnerability is not listed in CISA's KEV catalog, indicating low current exploitation momentum despite a medium CVSS score of 6.5.
Site isolation bypass in Google Chrome prior to version 149.0.7827.53 enables an attacker to circumvent Chrome's site isolation security boundary through a crafted malicious extension, resulting in high integrity impact (I:H per CVSS). The attack is gated by user interaction - specifically, the victim must be convinced to install the malicious extension - after which the extension exploits insufficient policy enforcement in Chrome's Extensions subsystem to cross site isolation boundaries without authorization. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates negligible current exploitation interest.
Insufficient policy enforcement in Google Chrome's Extensions subsystem prior to version 149.0.7827.53 allows a crafted extension to bypass discretionary access controls (DAC), producing high-integrity impact with no confidentiality or availability consequence. Exploitation requires an attacker to socially engineer a user into installing a malicious extension, after which the extension subverts Chrome's permission boundary enforcement. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; EPSS is extremely low at 0.01% (1st percentile), consistent with no observed mass exploitation.
Order state transition endpoints in Shopware's Admin API expose a vertical authorization bypass (CWE-862) where authenticated low-privileged users can manipulate order lifecycle states - including cancellation, fulfillment, and payment transitions - without holding the required `order:update` ACL privilege. The structural gap exists across both the 6.6.x and 6.7.x release lines because the affected routes in `OrderActionController.php` carry no ACL metadata, causing `AclAnnotationValidator` to exit without enforcing any privilege check, and the downstream `StateMachineRegistry` then executes writes under `Context::SYSTEM_SCOPE`. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation is mechanically trivial for any authenticated Admin API user regardless of their assigned role.
Privilege escalation in Shopware's Admin API allows authenticated users holding only the low-privilege `user:create` or `user:update` ACL to promote any account - including newly created ones - to full administrator access. The flaw exists in `UserController::upsertUser()` across composer packages `shopware/platform` and `shopware/core`, affecting all releases below 6.6.10.18 and the 6.7.x line below 6.7.10.1. Shopware has released patched versions; no public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is straightforward for any user with delegated user-management API access.
Privilege escalation in Shopware's Sync API allows an authenticated API user holding the `integration:create` ACL to self-elevate to full administrator by posting `admin: true` via `POST /api/_action/sync`. The dedicated `IntegrationController` correctly enforces an admin-only guard on this field, but the Sync API routes writes through `SyncService → EntityWriter::upsert()`, which only validates entity-level ACL and `WriteProtection` flags - neither of which are present on the `admin` BoolField in `IntegrationDefinition`. Affected are `shopware/platform` and `shopware/core` prior to 6.6.10.18 and prior to 6.7.10.1; no public exploit or CISA KEV listing is confirmed at time of analysis, though the attack is mechanically trivial for any credential holder with the prerequisite ACL.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
DNS transaction ID entropy collapse in AdGuard Home (≤v0.107.74) and its underlying dnsproxy library (≤v0.81.2) reduces the backend UDP forwarding tuple from two random variables to one: the DNS ID is deterministically 0 on every client-triggered DoQ-to-UDP hop, leaving only the UDP source port as the sole remaining entropy variable. An off-path attacker who can inject spoofed ICMP error messages toward the resolver's egress address can exploit a reliable source-port oracle - confirmed across four consecutive runs for both products - to identify the correct backend socket state before injecting a forged DNS response, placing this attack in the same threat-model class as SAD DNS and TUdoor. No public exploit confirmed at time of analysis beyond the working oracle reproducer included in the advisory disclosure; the advisory is not listed in CISA KEV.
Stored cross-site scripting in Arket Globe Document Intelligence 5.0.0.559 enables authenticated low-privilege attackers to inject persistent JavaScript payloads into document text fields, which execute in the browsers of other users viewing the 'Task in Progress / Recent' page. The CVSS High confidentiality impact (C:H) reflects the realistic risk of session token theft or account takeover against higher-privileged users such as administrators. Publicly available exploit code exists on GitHub (vincenzo-emanuele/CVE-2025-65640), and while no CISA KEV listing is present, the SSVC framework confirms exploitation-class proof-of-concept activity.
Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.
Navigation restriction bypass in Google Chrome's Glic component (versions prior to 149.0.7827.53) enables remote attackers to circumvent browser navigation controls by delivering a crafted HTML page that the victim must open. The vulnerability is rooted in an inappropriate implementation (CWE-284, Improper Access Control) within the Glic subsystem and yields limited but multi-dimensional impact across confidentiality, integrity, and availability (C:L/I:L/A:L). No public exploit identified at time of analysis and this CVE does not appear in CISA KEV; Google has assigned a 'Medium' severity rating consistent with the CVSS 6.3 score.
Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows a remote, unauthenticated attacker to circumvent policy enforcement in the browser's Actor component by delivering a crafted HTML page to a target user. The flaw (CWE-602) enables unauthorized navigation actions that could expose users to cross-origin manipulation or redirects with low but non-trivial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and EPSS of 0.02% combined with SSVC exploitation status of none indicates limited active threat, though the broad attack surface of any Chrome desktop user visiting a malicious page warrants timely patching.