Skip to main content
CVE-2026-11128 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Web Share API prior to version 149.0.7827.53 allows a remote attacker to extract sensitive cross-origin information by convincing a user to perform specific UI gestures on a crafted HTML page, violating browser same-origin policy guarantees. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) reflects high confidentiality impact with no authentication required on the attacker's side, though mandatory user interaction reduces realistic exploitation probability significantly. No public exploit has been identified at time of analysis, and an EPSS score of 0.04% (13th percentile) corroborates low current exploitation activity.

Information Disclosure Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11105 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's WebUI component prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to extract sensitive cross-origin information via a crafted HTML page. The vulnerability stems from insufficient input validation (CWE-20) in the WebUI layer, which fails to properly sanitize input arriving from a compromised renderer, breaking Chrome's intended process isolation boundary. No active exploitation has been confirmed (not in CISA KEV), and an EPSS score of 0.04% (13th percentile) reflects low widespread exploitation probability, consistent with this being a second-stage technique requiring a chained renderer compromise.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11008 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's WebAppInstalls component (versions prior to 149.0.7827.53) enables a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin data via a crafted HTML page. The CVSS 6.5 score captures the high confidentiality impact and network accessibility, but understates effective exploitation complexity because a prior renderer compromise is an explicit prerequisite. EPSS is very low at 0.04% (13th percentile), no public exploit code has been identified, and no CISA KEV listing exists at time of analysis, positioning this as a chained exploitation primitive rather than a standalone critical threat.

Information Disclosure Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11007 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's WebView component on Android exposes sensitive information to attackers who have already achieved renderer process compromise. Affected versions are all Chrome for Android releases prior to 149.0.7827.53. A remote attacker, operating from a compromised renderer context, can exfiltrate cross-origin data by delivering a specially crafted HTML page to the victim, bypassing same-origin policy protections. No public exploit code exists and EPSS stands at 0.04% (13th percentile), indicating low observed exploitation pressure at time of analysis; however, the high confidentiality impact (C:H) makes this a meaningful second-stage primitive in multi-vulnerability attack chains.

Information Disclosure Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49940 MEDIUM PATCH This Month

Net::CIDR::Set versions through 0.20 for Perl incorrectly accepts Unicode digits in IP addresses and CIDR netmasks, enabling network access controls to silently permit broader address ranges than intended. Applications relying on this library to enforce IP-based allowlists or blocklists may inadvertently grant or deny access to incorrect network ranges when Unicode look-alike digits (e.g., Arabic-Indic U+0661 instead of ASCII '1') are supplied as input. With no public exploit identified at time of analysis and SSVC exploitation status of none, this is a medium-severity library flaw requiring patch deployment rather than emergency response, but the automatable nature of the attack vector warrants prompt remediation in access-control-sensitive deployments.

Information Disclosure Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-36499 MEDIUM PATCH This Month

Resource exhaustion in Open vSwitch v3.6.90 allows an authenticated attacker with OVSDB write access to crash the virtual switch by requesting an unbounded number of handler or revalidation threads via a missing upper-bound check in the udpif_set_threads() function. The SSVC framework confirms a proof-of-concept exploit exists, though the vulnerability is not listed in CISA KEV and automated mass exploitation is assessed as unlikely due to the required management-plane authentication. With CVSS 6.5 and impact limited to availability, this is a moderate-priority finding that becomes high-priority in environments where OVSDB write access is broadly granted or inadequately segmented.

Denial Of Service Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11227 MEDIUM PATCH This Month

Tab Hover Cards in Google Chrome prior to 149.0.7827.53 render domain names incorrectly, enabling a remote unauthenticated attacker to spoof displayed domain identity via a crafted domain name, misleading users about the true destination of a browser tab. CVSS rates Integrity impact as High (I:H), reflecting the real deception potential in phishing scenarios, while Chromium itself labels this Low severity - a notable contrast worth flagging. No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) reflects minimal current exploitation interest.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11222 MEDIUM PATCH This Month

Domain spoofing via Tab Strip UI misrepresentation in Google Chrome prior to 149.0.7827.53 enables remote unauthenticated attackers to deceive users into believing they are visiting a legitimate domain by serving a crafted HTML page that corrupts the displayed origin in the tab strip. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms network-accessible exploitation requiring no privileges but requiring user interaction, with integrity impact reflecting successful identity deception rather than data exfiltration or code execution. No public exploit code exists and EPSS at 0.03% (11th percentile) reflects negligible observed exploitation activity; this is not currently listed in the CISA KEV catalog.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11215 MEDIUM PATCH This Month

Domain spoofing in Google Chrome's Cronet networking library on Android (versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent domain names to victims browsing on Android devices. The CVSS vector (AV:N/AC:L/PR:N/UI:R/I:H) confirms high integrity impact with no privileges required, contingent on victim interaction with a crafted URL. EPSS at 0.03% (11th percentile) and no CISA KEV listing indicate no public exploitation at time of analysis, making this primarily a targeted phishing-enablement risk rather than an actively weaponized vector.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11214 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for iOS prior to version 149.0.7827.53 enables a remote unauthenticated attacker to read sensitive data from cross-origin resources by tricking a user into visiting a crafted HTML page. The flaw stems from an inappropriate implementation in the iOS-specific Chrome code path (CWE-346: Origin Validation Error), undermining the browser's Same-Origin Policy enforcement on Apple's platform. No public exploit code exists and no active exploitation is confirmed; with an EPSS of 0.03% (11th percentile), real-world risk is currently assessed as low despite the high confidentiality impact in the CVSS scoring.

Apple Information Disclosure Google Suse Chrome +1
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11209 MEDIUM PATCH This Month

Sensitive information disclosure in Google Chrome's Passwords component (prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to read potentially sensitive data - including password material - from process memory by delivering a crafted HTML page. The attack carries a CVSS 6.5 (Medium) rating with high confidentiality impact and no integrity or availability consequence. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.03% (11th percentile), consistent with the non-trivial prerequisite of prior renderer compromise.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11208 MEDIUM PATCH This Month

Memory information disclosure in Google Chrome's Codecs component affects all desktop versions prior to 149.0.7827.53, enabling remote unauthenticated attackers to read potentially sensitive data from browser process memory when a user visits a specially crafted HTML page. The root cause is a use-after-free (CWE-416) in the media codec subsystem, yielding high confidentiality impact with no integrity or availability consequences per CVSS. EPSS is very low at 0.03% (11th percentile) and SSVC confirms no active exploitation, placing this firmly in the routine patch category despite its Medium severity score.

Denial Of Service Use After Free Memory Corruption Google Red Hat +2
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11206 MEDIUM PATCH This Month

Cross-origin data leakage via ServiceWorker policy bypass in Google Chrome affects all desktop versions prior to 149.0.7827.53. Insufficient policy enforcement in Chrome's ServiceWorker API allows unauthenticated remote attackers to read sensitive cross-origin data from a victim's browser session by directing the victim to a crafted HTML page. EPSS exploitation probability is very low at 0.03% (11th percentile), no public exploit code has been identified, and no CISA KEV listing exists at time of analysis - making this a moderate confidentiality risk that warrants patching but is not an immediate emergency for most organizations.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11203 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's GPU implementation on macOS allows remote unauthenticated attackers to exfiltrate sensitive cross-origin information by luring a user to a crafted HTML page. Affected are all Chrome releases on Mac prior to 149.0.7827.53. The vulnerability stems from an inappropriate GPU implementation (CWE-200) and carries no publicly available exploit at time of analysis; EPSS sits at 0.03% (11th percentile), indicating low current exploitation probability. No active exploitation has been confirmed by CISA KEV.

Information Disclosure Google Red Hat Suse Chrome
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11196 MEDIUM PATCH This Month

Type confusion in Google Chrome's XML processing engine exposes process memory contents to remote attackers who can deliver a crafted XML file to a victim. Versions prior to 149.0.7827.53 are affected, with confidentiality impact rated High (C:H) despite an overall CVSS score of 6.5 due to the required user interaction. No public exploit code has been identified and EPSS stands at 0.03% (11th percentile), indicating low observed exploitation pressure; no KEV listing confirms active exploitation at this time.

Information Disclosure Google Memory Corruption
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11195 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's MHTML implementation prior to version 149.0.7827.53 exposes sensitive user data to remote attackers via crafted HTML pages. The flaw stems from improper origin validation (CWE-346) in MHTML handling, allowing an attacker-controlled page to read data across origin boundaries - a significant breach of the browser's same-origin policy. Exploitation requires convincing a victim to perform specific UI gestures, and no public exploit or active exploitation has been identified at time of analysis; EPSS probability is very low at 0.03% (11th percentile).

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11194 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Network implementation prior to version 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a victim to a crafted HTML page. Rooted in CWE-346 (Origin Validation Error), the flaw permits the Network component to expose data across origin boundaries that same-origin policy should protect. No public exploit code or active exploitation (CISA KEV) has been identified; EPSS of 0.03% (11th percentile) places real-world exploitation probability as very low at time of analysis.

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11182 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG implementation affects all desktop versions prior to 149.0.7827.53, enabling remote attackers to exfiltrate sensitive data from other origins via a crafted HTML page. The flaw exploits Chrome's SVG rendering pipeline to violate the Same-Origin Policy, exposing confidential data such as authenticated session content or cross-site resources. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%, 11th percentile), though the zero-privilege-required, low-complexity attack path warrants prompt patching for any internet-facing user population.

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11180 MEDIUM PATCH This Month

Cross-origin data leakage via Google Chrome's SVG implementation (all versions prior to 149.0.7827.53) enables remote unauthenticated attackers to exfiltrate sensitive information from foreign origins by luring a victim to a crafted HTML page. The flaw reflects an inappropriate SVG rendering implementation that fails to enforce cross-origin isolation boundaries, producing a high confidentiality impact with no integrity or availability consequences. EPSS is very low at 0.03% (11th percentile), no public exploit code has been identified, and no CISA KEV listing exists at time of analysis, suggesting limited observed exploitation despite the medium-severity CVSS score.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11176 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Media subsystem (all versions prior to 149.0.7827.53) enables a remote attacker to read sensitive data from other web origins by inducing a user to visit a specially crafted HTML page. The flaw stems from an inappropriate implementation in Media that fails to correctly enforce origin boundaries (CWE-346), resulting in high confidentiality impact per CVSS (C:H) with no integrity or availability consequence. No active exploitation is confirmed - CISA KEV is absent and EPSS sits at 0.03% (11th percentile) - but the confidentiality vector is significant for users accessing sensitive cross-origin content concurrently.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11168 MEDIUM PATCH This Month

Information disclosure in Google Chrome's Extensions subsystem prior to version 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by delivering a crafted HTML page. This is a second-stage vulnerability requiring a pre-existing renderer compromise as a hard prerequisite, making it a chained attack component rather than a standalone exploit. No public exploit code exists and CISA has not added this to the KEV catalog; the EPSS score of 0.03% and SSVC exploitation-status of 'none' are mutually consistent with no observed active exploitation.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11160 MEDIUM PATCH This Month

Out-of-bounds read in the Input component of Google Chrome on Linux (all versions prior to 149.0.7827.53) exposes potentially sensitive process memory to remote attackers. Exploitation requires delivering a crafted HTML page and inducing a Linux user to visit it (CVSS UI:R), after which the browser's Input handler reads beyond allocated buffer bounds, leaking in-memory data. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (11th percentile) indicating low current exploitation probability, and there is no CISA KEV listing - though the High confidentiality impact (C:H) warrants timely patching given Chrome's broad deployment on Linux.

Information Disclosure Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11141 MEDIUM PATCH This Month

Uninitialized memory use in Google Chrome's Audio subsystem (versions prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to read potentially sensitive data from process memory via a crafted HTML page. This is a chained-exploit component - it does not grant initial access but can assist post-renderer-compromise data leakage or ASLR bypass. No KEV listing and an EPSS of 0.03% (11th percentile) indicate no observed widespread exploitation; no public exploit has been identified at time of analysis.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11139 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Paint component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to read sensitive cross-origin data by tricking a user into visiting a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's rendering Paint subsystem that fails to properly enforce cross-origin isolation boundaries. EPSS is low at 0.03% and no active exploitation is confirmed in CISA KEV, but the high confidentiality impact (C:H) combined with low attack complexity and no required privileges makes this a meaningful data-exfiltration risk for browser users visiting untrusted web content.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11138 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics component (versions prior to 149.0.7827.53) allows an unauthenticated remote attacker to read sensitive data belonging to other web origins by enticing a user to visit a specially crafted HTML page. The root cause is an uninitialized variable use (CWE-457) within ANGLE - Chrome's OpenGL ES translation layer - which can expose heap or stack memory contents across origin boundaries. No active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.03% (11th percentile) indicates low observed exploitation probability at time of analysis.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11137 MEDIUM PATCH This Month

Uninitialized memory exposure in Google Chrome's ANGLE graphics library prior to version 149.0.7827.53 enables remote unauthenticated attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS vector (PR:N/UI:R/C:H) confirms no attacker privileges are required but victim interaction is mandatory - the attack is entirely browser-side and exploits how ANGLE handles graphics state without zeroing memory first. No public exploit code exists and EPSS sits at 0.03% (11th percentile), indicating low observed exploitation interest despite the High confidentiality impact rating.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11134 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Media component (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive data from cross-origin resources by luring victims to a crafted HTML page. The flaw is rooted in an inappropriate implementation in Chrome's Media subsystem, tagged with CSRF characteristics, allowing an attacker-controlled page to read content from origins the victim is authenticated to. EPSS is low at 0.03% and no public exploit or CISA KEV listing has been identified at time of analysis.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11129 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) enables a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. The flaw is classified under CWE-352 (Cross-Site Request Forgery), indicating the Extensions implementation incorrectly handles cross-origin request validation in a way that bypasses same-origin isolation boundaries. No public exploit has been identified at time of analysis, and an EPSS score of 0.03% (11th percentile) signals low current exploitation probability despite the High confidentiality impact rating.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11123 MEDIUM PATCH This Month

Uninitialized memory read in Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows remote attackers to obtain sensitive process memory contents through a crafted HTML page, with no authentication required but mandatory user interaction. The vulnerability carries a CVSS Confidentiality impact of High (C:H), indicating potentially significant data exposure despite the Medium overall score of 6.5. EPSS is low at 0.03% (11th percentile) and no CISA KEV listing exists, meaning no public exploit or confirmed widespread exploitation has been identified at time of analysis.

Information Disclosure Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11110 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics subsystem (prior to 149.0.7827.53) allows a remote unauthenticated attacker to read sensitive data from other web origins by enticing a user to visit a crafted HTML page. The root cause is an uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics translation layer, which may expose stale memory contents - potentially including data from other browser contexts or origins. No public exploit code or CISA KEV listing has been identified; EPSS probability of 0.03% (11th percentile) indicates low real-world exploitation pressure at time of analysis.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11109 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics library affects all versions prior to 149.0.7827.53, allowing unauthenticated remote attackers to read sensitive cross-origin browser data by enticing a user to visit a specially crafted HTML page. The root cause is uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics abstraction layer, where residual memory contents from other origins can be exposed through the GPU pipeline. No public exploit identified at time of analysis, and the EPSS score of 0.03% (11th percentile) indicates low current exploitation probability; however, Chrome's broad install base makes any confirmed cross-origin data disclosure notable from a privacy and session-data standpoint.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11106 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Media component (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive information from cross-origin pages by luring a victim to a crafted HTML page. The CVSS vector confirms unauthenticated network access with high confidentiality impact (C:H), though user interaction is required (UI:R). No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) indicates low near-term mass exploitation probability, aligning with the Chromium team's 'Medium' severity rating.

CSRF Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11104 MEDIUM PATCH This Month

Uninitialized memory exposure in the ANGLE graphics layer of Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by delivering a crafted HTML page. The vulnerability is limited to confidentiality impact - no code execution or integrity compromise is possible through this vector alone. With an EPSS score of 0.03% (11th percentile), no public exploit code, and no CISA KEV listing, real-world exploitation risk is currently low despite the High confidentiality CVSS sub-score.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11101 MEDIUM PATCH This Month

Uninitialized memory use in the Dawn WebGPU engine of Google Chrome on Windows (all versions prior to 149.0.7827.53) enables a remote unauthenticated attacker to leak cross-origin data from a victim's browser session. Exploitation requires the victim to visit a crafted HTML page, breaking same-origin isolation by surfacing residual memory contents from other browsing contexts. No public exploit has been identified and EPSS sits at 0.03% (11th percentile), indicating low current exploitation probability; however, the High confidentiality CVSS impact warrants prompt patching in environments handling sensitive cross-origin data.

Information Disclosure Google Microsoft Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11090 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics library (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to read memory across origin boundaries by luring a victim to a crafted HTML page. The root cause is an uninitialized variable (CWE-457) within ANGLE - Chromium's graphics translation layer - which may retain residual data from prior allocations, exposing sensitive cross-origin content. No public exploit code exists and no active exploitation is confirmed (CISA KEV absent); EPSS is 0.03% (11th percentile), indicating low current real-world exploitation pressure.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11089 MEDIUM PATCH This Month

Uninitialized memory read in Google Chrome's Media component exposes sensitive process memory contents to attackers who have already compromised the renderer process. Specifically, Chrome versions prior to 149.0.7827.53 fail to initialize memory in the Media subsystem, enabling a secondary attacker-controlled read of arbitrary process memory via a crafted HTML page. EPSS stands at 0.03% (11th percentile), no public exploit has been identified, and this vulnerability is not listed in the CISA KEV catalog; the vendor-released patch is available in Chrome 149.0.7827.53.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11087 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics component (versions prior to 149.0.7827.53) enables a remote attacker who has already compromised the renderer process to read sensitive data from other origins via a crafted HTML page. The root cause is CWE-457 (Use of Uninitialized Variable) in ANGLE - residual memory contents in the graphics pipeline can be read before proper initialization, exposing data across origin boundaries. EPSS is very low at 0.03% (11th percentile) and no public exploit or CISA KEV listing has been identified, but the cross-origin data access impact makes this relevant in chained exploit scenarios.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11084 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Password Manager component (prior to 149.0.7827.53) exposes sensitive credential or form data to remote attackers through a crafted HTML page. The flaw stems from an inappropriate implementation classified under CWE-346 (Origin Validation Error), meaning the Password Manager fails to properly enforce same-origin boundaries when handling data. No privileges are required and exploitation is conditional only on user interaction with a malicious page; CVSS confidentiality impact is rated High, though no public exploit code exists and EPSS is at 0.03%, indicating low observed exploitation pressure at time of analysis.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11083 MEDIUM PATCH This Month

Cross-origin data leakage via Chrome's Password Manager component affects Google Chrome versions prior to 149.0.7827.53, exploitable when a user visits an attacker-crafted HTML page. The flaw stems from an inappropriate implementation that fails to enforce proper origin boundaries within the Password Manager, allowing a remote, unauthenticated attacker to read sensitive cross-origin data - potentially including credential-related information surfaced by the Password Manager. No public exploit code has been identified and no active exploitation is confirmed (not in CISA KEV), with EPSS at 0.03% (11th percentile), though the high confidentiality impact (C:H) warrants prompt patching given Chrome's massive deployment surface.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11075 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's V8 JavaScript engine (versions prior to 149.0.7827.53) exposes sensitive process memory to remote attackers who can lure a victim to a crafted HTML page. The CVSS vector (PR:N/UI:R/C:H) confirms unauthenticated remote triggering with high confidentiality impact, though exploitation requires one click of user interaction. No public exploit identified at time of analysis, and EPSS sits at the 11th percentile (0.03%), suggesting low observed exploitation pressure despite the medium-severity classification.

Information Disclosure Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11067 MEDIUM PATCH This Month

Uninitialized memory read in Chrome's Dawn (WebGPU) component exposes process memory contents to remote unauthenticated attackers who can entice a user to visit a crafted HTML page. All Chrome desktop versions prior to 149.0.7827.53 are affected, with confidentiality impact rated High (C:H) due to potential exposure of sensitive in-process data such as credentials or session tokens. No public exploit code or active exploitation has been identified at time of analysis; EPSS at 0.03% (11th percentile) reflects low current exploitation pressure.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11064 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for Android (prior to 149.0.7827.53) is enabled by a race condition in the GPU component, exploitable only after the attacker has already achieved renderer process compromise. Using a crafted HTML page, the attacker can then trigger the GPU race to read cross-origin data, constituting a second-stage information disclosure step in a broader attack chain. No public exploit code or CISA KEV listing exists at time of analysis; EPSS sits at 0.03% (11th percentile), consistent with limited real-world exploitation activity.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11057 MEDIUM PATCH This Month

Uninitialized memory use in Skia, Chrome's 2D graphics library, exposes process memory contents to a remote attacker who has already compromised the renderer process. Affected versions are all Chrome releases prior to 149.0.7827.53 on desktop platforms. An attacker leveraging this flaw can read potentially sensitive data from process memory - such as credentials, tokens, or page content - by delivering a crafted HTML page that triggers Skia's uninitialized memory path. No public exploit identified at time of analysis and EPSS stands at 0.03% (11th percentile), indicating low current exploitation pressure; however, the confidentiality impact is rated High by NVD.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11051 MEDIUM PATCH This Month

Out-of-bounds read in ANGLE (Google's graphics abstraction layer) within Chrome on Linux exposes sensitive process memory to remote attackers via a crafted HTML page. All Chrome for Linux versions prior to 149.0.7827.53 are affected; Windows and macOS are not in scope. The CVSS vector confirms unauthenticated remote exploitability at low complexity, though user interaction is required, and no public exploit has been identified at time of analysis - EPSS at 0.03% (11th percentile) signals minimal current exploitation pressure.

Information Disclosure Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11044 MEDIUM PATCH This Month

Integer overflow in ANGLE (Google's graphics abstraction layer) within Chrome on macOS prior to 149.0.7827.53 enables remote information disclosure from process memory via crafted HTML pages. An unauthenticated remote attacker who induces user interaction can trigger out-of-bounds memory reads through a malicious webpage, potentially exposing credentials, session tokens, or other sensitive in-memory data. No active exploitation is confirmed (not listed in CISA KEV) and EPSS of 0.03% (11th percentile) reflects low real-world exploitation probability at time of analysis.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11039 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Skia graphics library (prior to 149.0.7827.53) enables a remote attacker to read sensitive data from other origins by enticing a user to visit a crafted HTML page. The flaw stems from uninitialized memory use (CWE-457) in Skia, Chrome's 2D rendering engine, where residual memory contents can be exposed across security boundaries. No active exploitation has been confirmed (not in CISA KEV) and EPSS sits at 0.03% (11th percentile), indicating low real-world exploitation probability at time of analysis, though the confidentiality impact is rated High by CVSS.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11032 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) enables unauthenticated remote attackers to access sensitive data across security origin boundaries when a victim visits a specially crafted HTML page. The flaw involves an inappropriate implementation of origin validation (CWE-346) within the Password Manager subsystem, potentially exposing saved credentials or autofill data to a malicious origin. No active exploitation has been confirmed - SSVC classifies exploitation as none and EPSS places this in the 11th percentile - though the High confidentiality impact in the CVSS vector reflects meaningful data exposure if triggered.

Information Disclosure Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11020 MEDIUM PATCH This Month

Cross-origin data disclosure in Google Chrome's Extensions component (versions prior to 149.0.7827.53) enables a remote attacker to read sensitive data belonging to other origins by delivering a crafted XML file to a victim. The CVSS vector confirms network-reachable, unauthenticated access (AV:N/PR:N) with High confidentiality impact, though user interaction is required (UI:R). No public exploit has been identified at time of analysis and EPSS probability sits at a low 0.03% (11th percentile), indicating limited exploitation likelihood despite the meaningful confidentiality impact.

Information Disclosure Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11019 MEDIUM PATCH This Month

Domain spoofing in the Google Chrome Payments component on Android (versions prior to 149.0.7827.53) enables integrity manipulation of payment flows when an attacker has already compromised the renderer process. By serving a crafted HTML page, the attacker can make the Chrome Payments UI display a spoofed domain, potentially deceiving users into authorizing payments to attacker-controlled origins. EPSS stands at 0.03% (11th percentile), no public exploit code has been identified, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Google Chrome Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11006 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Dawn WebGPU subsystem (versions prior to 149.0.7827.53) allows unauthenticated remote attackers to read arbitrary memory contents by tricking a user into visiting a crafted HTML page. The vulnerability carries a CVSS 6.5 (Medium) with high confidentiality impact and no integrity or availability impact, indicating targeted data-disclosure potential rather than code execution. EPSS is 0.03% (11th percentile) and the vulnerability is not listed in the CISA KEV catalog - no public exploit has been identified at time of analysis.

Information Disclosure Google Buffer Overflow Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 8 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy