Skip to main content
CVE-2026-11228 MEDIUM PATCH This Month

UI spoofing in Google Chrome's File Input component allows remote unauthenticated attackers to misrepresent interface elements when a user is socially engineered into performing specific UI gestures on a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a Chromium-assigned severity of Low and is limited to integrity impact (I:L) with no confidentiality or availability consequences. No public exploit code exists and no active exploitation is confirmed at time of analysis.

Information Disclosure Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11216 MEDIUM PATCH This Month

UI spoofing in Google Chrome's File Input component (versions prior to 149.0.7827.53) enables remote attackers to misrepresent security-critical interface elements to users through specially crafted HTML pages. The attacker must convince a target to perform specific UI gestures - such as drag-and-drop or deliberate click sequences - to trigger incorrect rendering of the browser's file selection security UI. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) signals very low exploitation probability, consistent with no CISA KEV listing.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11162 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's CSS implementation exposes sensitive information from other origins when a user visits a crafted HTML page. Affected are all Chrome versions prior to 149.0.7827.53 on desktop platforms. An unauthenticated remote attacker can exploit this to read data from cross-origin contexts, violating the browser's Same-Origin Policy via a CSS-based side channel or direct information disclosure path. No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) signals low current exploitation activity.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11161 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's DataTransfer API allows unauthenticated remote attackers to read data across origins by directing a victim to a crafted HTML page, affecting all Chrome desktop versions prior to 149.0.7827.53. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:L) confirms network accessibility without attacker authentication, but requires user interaction and yields only limited confidentiality impact with no integrity or availability consequences. No active exploitation is confirmed (not in CISA KEV), and EPSS at 0.03% (11th percentile) consistently signals low current exploitation probability.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11159 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Skia graphics library affects all versions prior to 149.0.7827.53, exploitable via a crafted HTML page requiring only a single user visit. The root cause (CWE-457: use of uninitialized memory) in Chrome's Skia rendering backend allows residual memory contents to be exposed across origin boundaries, violating the browser's same-origin policy. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) and absence from CISA KEV indicate low real-world exploitation probability at this time.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11156 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a user to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network-exploitable, no-privilege-required exploitation with a single user interaction as the only barrier. No public exploit has been identified and EPSS sits at 0.03% (11th percentile), indicating low current exploitation interest despite the low attack complexity.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11155 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to read sensitive cross-origin information by directing a victim to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with no privilege requirement, limited only by the need for user interaction. EPSS is 0.03% (11th percentile) and no public exploit has been identified at time of analysis; however, Google has issued a confirmed patch in the stable channel release, and the CWE-352/CSRF tag alongside the data-leakage description suggests a novel or hybrid attack class that security teams should monitor for further clarification.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11107 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Downloads component prior to version 149.0.7827.53 enables remote attackers to misrepresent download-related interface elements by serving a crafted HTML page. The flaw stems from an inappropriate implementation (CWE-451) in the Downloads subsystem, allowing an attacker to manipulate what the user sees during a download interaction - potentially masking file names, types, or origin - without any authentication. No public exploit code exists and EPSS sits at 0.03% (11th percentile), indicating no public exploit identified at time of analysis; however, the no-authentication, low-complexity delivery path warrants prompt patching.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11178 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's WebView component on Android allows an unauthenticated remote attacker to read data from origins outside the attacker's own domain by enticing a user to visit a crafted HTML page. Affected are all Android Chrome versions prior to 149.0.7827.53. No public exploit exists and SSVC classifies exploitation as none, but the network-accessible, low-complexity attack vector warrants patching for Android-heavy enterprise environments handling sensitive cross-origin content.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11234 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's FoldableAPIs component allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a CVSS 4.3 score, an EPSS of 0.02% (4th percentile), is not listed in CISA KEV, and no public exploit has been identified - consistent with Chromium's own 'Low' severity rating. A vendor-released patch (149.0.7827.53) is available.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11219 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to circumvent Chrome's built-in navigation controls by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation in Chrome's Navigation subsystem (CWE-693: Protection Mechanism Failure), yielding low integrity impact with no confidentiality or availability consequences. No public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02% (4th percentile), consistent with Google Chromium's own Low severity classification for this issue.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11126 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome DevTools affects all versions prior to 149.0.7827.53, exploitable through a crafted malicious Chrome Extension. The inappropriate DevTools implementation allows an attacker who successfully social-engineers a victim into installing the extension to read data from cross-origin contexts - violating the browser's same-origin isolation guarantees at the DevTools layer. No public exploit code exists and no CISA KEV listing is present; EPSS at 0.02% (4th percentile) confirms low exploitation probability in the wild, making this a routine patch-cycle priority rather than an emergency response item.

Information Disclosure Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11212 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's DevTools component (prior to 149.0.7827.53) enables an attacker to bypass same-origin policy enforcement through a crafted malicious extension. Exploitation requires convincing a target user to install the attacker-controlled extension, after which cross-origin data can be exfiltrated via insufficient DevTools policy controls. No public exploit code has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google Red Hat Suse Chrome
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-11062 MEDIUM PATCH This Month

Script and HTML injection into privileged Chrome pages is possible in Google Chrome prior to 149.0.7827.53 through insufficient policy enforcement in the Extensions subsystem. An attacker who convinces a user to install a crafted malicious extension can leverage this to inject content into otherwise-restricted privileged pages, compromising page integrity. EPSS is 0.01% (1st percentile), no KEV listing exists, and no public exploit has been identified at time of analysis - indicating low observed exploitation pressure despite the network-accessible attack vector.

Google Code Injection Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48016 MEDIUM PATCH GHSA This Month

Unauthorized payment triggering in Shopware's `/store-api/handle-payment` endpoint allows any low-privileged Store API caller - including guest checkout contexts - to initiate or retry the payment flow for another customer's order by supplying a known foreign `orderId`. The flaw affects `shopware/platform` and `shopware/core` versions below 6.6.10.18 and versions 6.7.0.0 through 6.7.10.0, and is confirmed fixed in releases 6.6.10.18 and 6.7.10.1 per GitHub advisory GHSA-9v5m-39wh-5chq. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects limited scope: integrity of order and payment workflows is the primary risk, with no direct confidentiality or availability impact.

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-48012 MEDIUM PATCH GHSA This Month

Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.

Python Open Redirect
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-52606 MEDIUM This Month

Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resulting in limited integrity impact against the target system. The vulnerability stems from an implementation deficiency in an architectural security tactic - specifically, the application's failure to correctly validate received input against its expected type. No public exploit code exists and no active exploitation has been confirmed; however, the low-complexity, network-accessible attack vector lowers the bar for authenticated users to abuse this flaw.

Information Disclosure Icontrol
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48013 MEDIUM PATCH GHSA This Month

Server-side request forgery in Shopware's media subsystem allows authenticated admin users to make arbitrary HTTP HEAD requests to internal network addresses and cloud metadata endpoints via the `/api/_action/media/external-link` endpoint. The root cause is an inconsistency between two URL-handling flows in `MediaUploadService`: the `uploadFromURL` flow correctly validates resolved IPs against private/reserved ranges, while the `linkURL` flow only checks that the URL begins with `http://` or `https://`. Exploiting this, an admin can probe cloud metadata services, enumerate internal ports, and leak `content-length` values from internal services; no public exploit has been identified at time of analysis, and a vendor-released patch exists in version 6.7.10.1.

PHP Information Disclosure SSRF
NVD GitHub
CVSS 3.1
4.1
EPSS
0.1%
CVE-2026-10998 MEDIUM PATCH This Month

Out-of-bounds memory read in Chrome's Media component allows a local-network-adjacent attacker to leak partial memory contents via specially crafted network traffic. Affects all Chrome releases prior to 149.0.7827.53 on desktop platforms, as confirmed by Google's stable channel advisory. No public exploit code exists and no active exploitation has been identified; SSVC assessment rates technical impact as partial with exploitation status none, placing this in a lower-priority remediation tier despite the unauthenticated vector.

Information Disclosure Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-8462 MEDIUM PATCH GHSA This Month

SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.

Denial Of Service Docker Python SQLi
NVD GitHub
EPSS
0.0%
CVE-2026-45056 MEDIUM PATCH GHSA This Month

Sender identity spoofing in matrix-sdk-crypto (Rust crate) versions 0.12.0 through 0.16.0 allows a malicious or colluding homeserver operator to forge the apparent sender of Olm-encrypted to-device messages by supplying manipulated `sender_device_keys` without a corresponding user ID validation check. The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) and is patched in version 0.16.1. No public exploit code exists and this CVE is not listed in CISA KEV, but the attack's reliance on homeserver-level access defines a concrete and realistic threat model for federated Matrix deployments where server trust is not absolute.

Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2026-44476 MEDIUM PATCH GHSA This Month

Authentication bypass in doorkeeper-openid_connect's Dynamic Client Registration feature allows any party with a known client_id to obtain OAuth access tokens without supplying a client_secret. The root defect is in DynamicClientRegistrationController#register (dynamic_client_registration_controller.rb:18-25), which hard-codes confidential: false on every dynamically registered application while simultaneously returning a client_secret in the response and advertising client_secret_basic/client_secret_post auth methods. Because Doorkeeper's Application.by_uid_and_secret accepts a nil secret as valid for public (non-confidential) clients, the secret returned at registration is functionally decorative - any caller can authenticate at the token endpoint using only the public client_id. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the advisory includes verbatim reproduction steps that document the bypass in full detail.

Authentication Bypass
NVD GitHub
EPSS
0.1%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy