Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 lets a remote attacker who has already compromised the renderer process break out of the Chromium sandbox via a crafted HTML page that triggers an out-of-bounds write in Skia. Google rates the underlying Chromium issue High severity and a vendor patch is available, though no public exploit code has been identified at time of analysis.
Sandbox escape in Google Chrome's Chromecast component prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by the Chromium project with a CVSS of 8.3, the flaw requires a prior renderer compromise and user interaction, and no public exploit identified at time of analysis. Successful exploitation gives attackers code execution outside the renderer's restricted context, dramatically expanding impact on the host.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 is possible via an integer overflow in the Dawn WebGPU implementation, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox using a crafted HTML page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium and CVSS 8.3, and while no public exploit is identified at time of analysis, sandbox escapes in ANGLE have historically been chained with renderer RCE bugs to achieve full system compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Viz compositor component. Exploitation requires a crafted HTML page and victim interaction, and Google has rated the underlying Chromium security severity as High. No public exploit has been identified at time of analysis, but this class of bug is historically chained with renderer RCE bugs to achieve full browser compromise.
Sandbox escape in Google Chrome on iOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free in the Core component rated High severity by Chromium, and no public exploit identified at time of analysis. Exploitation requires user interaction (visiting a malicious page) and chaining with a prior renderer compromise, raising the practical bar despite the 8.3 CVSS score.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free flaw in the Dawn WebGPU implementation. Exploitation requires luring a victim to a crafted HTML page and chaining this bug with a prior renderer compromise, but the impact is full sandbox escape with high confidentiality, integrity, and availability consequences. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free condition in the FullScreen component. Rated High severity by Chromium with a CVSS of 8.3, the flaw requires user interaction and high attack complexity, and no public exploit identified at time of analysis. The vendor has issued a stable channel update addressing the issue.
Sandbox escape in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free in the Network component, triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available; no public exploit identified at time of analysis.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Printing component. Google rates the underlying Chromium issue as Critical severity, and no public exploit is identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack and the scope change that results when sandbox boundaries are crossed.
Out-of-bounds read in the ANGLE graphics layer of Google Chrome before 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox via a crafted HTML page. Chromium rates the underlying issue Critical severity, and while no public exploit has been identified at time of analysis, the bug is in a historically targeted attack surface (GPU/ANGLE) frequently abused in renderer-to-broker escape chains.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting a use-after-free flaw in the Chromecast component. Google classifies the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The bug requires chaining with a separate renderer compromise, which lowers standalone exploitability but makes it valuable as the second stage of a full browser exploit chain.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the InterestGroups component. Google rates the Chromium severity as High, and CVSS scores it 8.3 with a changed scope reflecting the cross-boundary impact. No public exploit identified at time of analysis, though a vendor patch is available.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting insufficient input validation in the Media component. Google rates the Chromium security severity as High, and no public exploit has been identified at time of analysis. Successful exploitation requires chaining with a separate renderer compromise plus user interaction, raising attack complexity but yielding full host-level impact if achieved.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the Media component. Google rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 stems from a heap buffer overflow in the Video component, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Chromium rates the severity as High and a vendor patch is available; no public exploit identified at time of analysis. The CVSS 8.3 score reflects the scope change (S:C) that occurs when sandbox boundaries are crossed, though the attack requires high complexity and user interaction.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a heap buffer overflow in ANGLE. Chromium rates the severity as High, and although no public exploit is identified at time of analysis, the CVSS 8.3 score with scope change reflects the cross-boundary impact when chained with a renderer RCE. This is a classic second-stage bug used in browser exploit chains rather than a standalone one-click compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a race condition in the Codecs component. Chromium rates this High severity, and while no public exploit was identified at time of analysis, the bug fits the classic renderer-to-sandbox-escape pattern frequently chained in real-world Chrome exploit kits. CVSS is 8.3 reflecting high attack complexity, required user interaction, and a scope change.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the WebShare component. The bug is rated High severity by Chromium and carries a CVSS 8.3 with scope change reflecting the sandbox boundary crossing, though no public exploit has been identified at time of analysis.
UI spoofing in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to deceive users via a crafted HTML page through insufficient input validation in the Media component. The flaw carries a CVSS of 8.3 due to scope change and high impact ratings, though Chromium internally rates the severity as Low, and no public exploit identified at time of analysis. Exploitation requires a pre-existing renderer compromise and user interaction, narrowing realistic risk despite the elevated CVSS.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) requiring user interaction to visit the malicious page, and no public exploit has been identified at time of analysis despite an EPSS score of 0.03% indicating very low near-term exploitation probability.
Sandbox escape in Google Chrome on Android before 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free in the Serial component. Exploitation requires user interaction with a crafted HTML page and a prior renderer compromise, making this a second-stage vulnerability typically chained with another bug. No public exploit identified at time of analysis and EPSS is very low (0.03%), but Google has shipped a patched stable channel build.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing Web Bluetooth policy enforcement. The flaw requires user interaction and a pre-existing renderer compromise, and no public exploit identified at time of analysis. Despite a CVSS of 8.3, EPSS is only 0.03% (10th percentile) and CISA SSVC marks exploitation status as 'none', indicating low real-world exploitation likelihood at present.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the WebShare component. The flaw requires a pre-existing renderer compromise plus user interaction, and no public exploit identified at time of analysis, though Chromium-rated Medium severity and the patch availability suggest defenders should treat it as part of the standard Chrome update cycle.
{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.
Proxy credential disclosure in Axios Node.js HTTP adapter (versions <1.16.0 and <=0.31.1) allows a malicious or attacker-controlled origin to receive the configured Proxy-Authorization header during specific HTTP-to-HTTPS redirect flows where the redirected request bypasses the proxy. No public exploit identified at time of analysis, though the researcher published a safe local proof-of-concept outline. The leaked credential, if reusable and the proxy is reachable, enables the attacker to authenticate to the victim's outbound proxy.
On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Remote code execution and information disclosure in Neterbit NW-431F routers (firmware vNW-431F-20241014-IR03) allow unauthenticated network attackers to compromise the device by sending a crafted command to the at_command.asp interface. The CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against the router's web management interface, and no public exploit identified at time of analysis, though a researcher repository on GitHub may contain proof-of-concept material.
Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, allowing remote attackers to execute arbitrary code by delivering malicious network traffic. Google's Chromium team rates the underlying defect as Critical severity, and no public exploit has been identified at time of analysis, though the bug class historically attracts in-the-wild exploitation against browser users.
Universal cross-site scripting (UXSS) in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to inject arbitrary scripts or HTML into the context of other origins via a crafted XML file. The flaw stems from an inappropriate implementation in Chrome's XML handling (CWE-91, XML Injection), enabling same-origin policy bypass when a user is lured into loading attacker-controlled content. No public exploit has been identified at time of analysis, and EPSS exploitation probability is low at 0.06% (18th percentile).
Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker to run arbitrary code by tricking a user into interacting with a malicious file, due to an inappropriate implementation in the Safe Browsing component. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.04%, 12th percentile), though the CVSS base score of 8.1 reflects high confidentiality and integrity impact. Chromium internally rated the security severity as Low, suggesting practical exploitability is constrained despite the high CVSS.
Remote code execution in Google Chrome on Linux versions prior to 149.0.7827.53 allows a remote attacker to exploit a use-after-free condition in the Chromoting component via malicious network traffic. The flaw carries a CVSS 3.1 score of 8.1 (high) with no public exploit identified at time of analysis and an EPSS probability of 0.04%, though Google rates the Chromium severity as Low. The vendor has shipped a fix in the stable channel update for desktop.
OS-level privilege escalation in Google Chrome on Linux prior to 149.0.7827.53 allows remote attackers to escalate privileges via malicious network traffic targeting the Chromoting (Chrome Remote Desktop) component. Google has released a patched stable channel update, and while no public exploit has been identified at time of analysis, the network-based attack vector and high impact across confidentiality, integrity, and availability warrant prompt patching. EPSS probability is very low (0.03%), and the issue is not listed in CISA KEV.
Out-of-bounds memory read in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to leak adjacent memory contents when a victim visits a crafted HTML page. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.03%, but the CVSS 8.1 score reflects the user-interaction-only barrier combined with high confidentiality and availability impact. Google has shipped a stable-channel fix and Chromium rates the underlying severity as Medium.
Out-of-bounds memory read in Google Chrome's ANGLE graphics layer on macOS versions prior to 149.0.7827.53 allows remote attackers to disclose memory contents or crash the renderer by enticing a user to visit a crafted HTML page. Google rates the underlying Chromium issue as High severity, and while no public exploit is identified at time of analysis, the EPSS score of 0.03% suggests low near-term mass exploitation likelihood. The flaw requires user interaction (visiting a page) but no authentication, making drive-by web attacks the realistic threat model.
Out-of-bounds memory read in the WebGPU component of Google Chrome before 149.0.7827.53 allows a remote attacker to read memory outside intended buffer boundaries when a victim visits a crafted HTML page. The flaw carries a CVSS 8.1 score due to network reachability and high confidentiality/availability impact, but EPSS sits at 0.03% and SSVC reports no observed exploitation, so the practical risk is currently low despite the high CVSS. No public exploit identified at time of analysis.
Site isolation bypass in Google Chrome's Password Manager prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape cross-origin protections via a crafted HTML page. The flaw stems from insufficient policy enforcement (CWE-602) and chains with a prior renderer compromise, making it a post-exploitation primitive rather than a standalone entry point. EPSS is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as Medium.
Arbitrary code execution within the Chrome renderer sandbox is possible in Google Chrome versions prior to 149.0.7827.53 due to a use-after-free defect in the V8 JavaScript engine. Exploitation requires social engineering a user into installing a malicious Chrome Extension, after which a crafted extension can trigger the memory corruption and run attacker-controlled code inside the sandboxed process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Content Security Policy weakness in HCL Hive Telco Observability's Keycloak authentication component allows remote attackers to leverage missing CSP directives for client-side attacks against authenticated users. The CVSS 8.1 (AV:N/AC:L/PR:N/UI:R) rating reflects high confidentiality and integrity impact contingent on user interaction, with no public exploit identified at time of analysis. The flaw resides in the web application's browser security headers rather than server-side logic.
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests even after the application's delete-validation callback has rejected the operation. The root cause is an operator-precedence bug in the CRUDComponent::delete() handler where missing parentheses caused validation checks to be skipped for the DELETE method. No public exploit identified at time of analysis, but the upstream fix commit on GitHub publicly discloses the exact one-line vulnerable expression, making weaponization trivial.
Local code execution in Google Chrome for Android prior to 149.0.7827.53 stems from a use-after-free in the WebView component, triggered when a victim opens a malicious file. Per CVSS 7.8 (AV:L/UI:R), exploitation requires local delivery plus user interaction, and there is no public exploit identified at time of analysis (EPSS 0.01%, not in CISA KEV).
Local privilege escalation in Google Chrome on Windows prior to version 149.0.7827.53 allows an attacker with local access to elevate to OS-level privileges by planting a malicious file that the Chrome Installer processes inappropriately. The flaw stems from improper privilege management (CWE-269) in the Installer component and requires user interaction to trigger, with no public exploit identified at time of analysis and an EPSS score of 0.01% indicating very low predicted exploitation likelihood.
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 enables an attacker who can deliver a malicious file to a victim to elevate privileges via an inappropriate UI implementation. Google's Chromium team rated the severity as High and a stable channel patch has been released, but no public exploit has been identified at time of analysis and the issue is not currently listed in CISA KEV.
Cross-origin data leakage in Google Chrome's Dawn WebGPU implementation prior to version 149.0.7827.53 allows a remote attacker to read sensitive data from other origins by luring a user to a crafted HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS places exploitation probability at 1.64% (82nd percentile).
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the `autoEvalCodeOnHTML` key from `$json['msg']`, but `msgToResourceId()` prioritizes the sibling `json` key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Command injection in Microsoft 365 Copilot allows an authenticated attacker with low privileges to execute arbitrary code across a scope-changing trust boundary, leading to high confidentiality impact and limited integrity and availability impact. The flaw stems from improper neutralization of special elements (CWE-77) within the Copilot service and is rated CVSS 7.7 with high attack complexity. No public exploit identified at time of analysis, and the EPSS signal is not provided in the source intelligence.
Stored cross-site scripting in Chartbrew 4.9.0 through 5.0.0 lets a project-editor inject HTML/JavaScript into the ChartDatasetConfig.legend field, which is later rendered into the chart tooltip DOM via an unguarded innerHTML sink in ChartTooltip.js. Every unauthenticated viewer of a public dashboard executes the attacker payload on page load with no hover interaction required, and no public exploit is identified at time of analysis beyond the proof-of-concept payloads documented in the GitHub Security Advisory. Version 5.0.1 contains the fix.
Blind SQL injection in the Photo Gallery by 10Web WordPress plugin (versions up to and including 1.8.41) allows high-privileged authenticated users to inject crafted SQL fragments into a vulnerable query, exfiltrate database contents, and affect availability. CVSS 7.6 (Scope:Changed) reflects the cross-component impact possible from a successful injection within the WordPress database context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Account takeover in Better Auth's deviceAuthorization plugin (versions >= 1.6.0, < 1.6.11) allows an authenticated attacker who learns a pending user_code to bind a victim's polling device to the attacker's session or deny the legitimate sign-in. The flaw stems from a missing ownership claim at the verification step combined with a short-circuited owner check on approve/deny endpoints. No public exploit identified at time of analysis, but the patch PR and detailed advisory provide a clear roadmap for exploitation.