Skip to main content
CVE-2026-11645 HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.

Information Disclosure Google Buffer Overflow RCE Red Hat +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
Threat
4.8
CVE-2017-20249 HIGH POC This Week

Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Apptha Slider Gallery
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20244 HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20246 HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20245 HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20065 HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20062 HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20247 HIGH POC This Week

WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20243 HIGH POC This Week

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20250 HIGH POC This Week

Mac Photo Gallery 3.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the albid parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2017-20248 HIGH POC This Week

Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-49948 HIGH POC PATCH This Week

Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. Publicly available exploit code exists and a vendor patch has been released in commit ae7f406.

Authentication Bypass PostgreSQL Mem0
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-44812 HIGH PATCH NEWS Exploit Likely Act Now

Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.

Microsoft Integer Overflow Buffer Overflow Excel Powerpoint +14
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-44803 HIGH PATCH NEWS Exploit Likely Act Now

Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.

Microsoft Integer Overflow Buffer Overflow Excel Powerpoint +14
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-42991 HIGH PATCH Act Now

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an authenticated low-privilege user can win to gain higher privileges on the host. The CVSS 7.8 score with Scope:Changed indicates successful exploitation crosses a security boundary, impacting confidentiality, integrity, and availability of resources beyond the vulnerable component. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Microsoft Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42979 HIGH PATCH Act Now

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an attacker with low-privileged local access can exploit to gain higher privileges. No public exploit identified at time of analysis, and the issue is not on CISA KEV, but the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability once the race is won. A vendor patch is available via the Microsoft Security Response Center advisory.

Information Disclosure Microsoft Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42977 HIGH PATCH Act Now

Local privilege escalation in Windows Push Notifications enables an authenticated low-privileged user to elevate to higher privileges by exploiting a race condition (CWE-362) in concurrent access to a shared resource. Successful exploitation results in high impact to confidentiality, integrity, and availability with scope change, but no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory.

Information Disclosure Microsoft Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42978 HIGH PATCH Act Now

Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) in concurrent handling of shared resources, allowing an authorized low-privileged attacker to win a timing window and elevate to higher privileges with scope change. The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H reflects local-only exploitation with high attack complexity due to the timing-dependent nature, but a successful attacker gains full confidentiality, integrity, and availability impact across a security boundary. No public exploit identified at time of analysis.

Information Disclosure Microsoft Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-11607 HIGH POC PATCH GHSA This Week

Privilege escalation in TYPO3 CMS allows authenticated backend users with Form Framework access to execute arbitrary SQL by uploading malicious form definitions with non-standard file extensions, enabling creation of administrative backend accounts. The flaw stems from incomplete file-extension validation in FormPersistenceManager and affects every supported branch (10.4, 11.5, 12.4, 13.4, 14.3) below the fixed releases. No public exploit identified at time of analysis, but the upstream fix commits are public on GitHub.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2016-20063 HIGH POC Monitor

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Single Personal Message
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-45640 HIGH PATCH Exploit Unlikely Act Now

Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.

Microsoft Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-34335 HIGH PATCH Act Now

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition in the kernel-mode driver. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but AFD.sys has a long history of being targeted for kernel EoP, making this a likely candidate for future weaponization. CVSS 7.0 reflects the high attack complexity required to reliably win the underlying race or reuse condition.

Microsoft Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-41108 HIGH PATCH Act Now

Local privilege escalation in Microsoft Windows DNS allows an authenticated low-privileged user to gain elevated privileges via a heap-based buffer overflow (CWE-122). The CVSS 7.0 score reflects high attack complexity and local-only access, and no public exploit is identified at time of analysis. The flaw was reported privately by Microsoft (MSRC) and is tracked under MSRC advisory CVE-2026-41108.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24349 HIGH CISA Act Now

Sensitive key material extraction is possible in Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to V21 Update 2) due to insufficient protection in the WinCC Certificate Manager component. A local attacker on an affected HMI/SCADA workstation could harvest cryptographic key material that protects operator certificates, potentially enabling impersonation or downstream attacks against industrial control networks. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Information Disclosure Simatic Wincc Unified Pc Runtime V16 Simatic Wincc Unified Pc Runtime V17 Simatic Wincc Unified Pc Runtime V18 Simatic Wincc Unified Pc Runtime V19 +2
NVD
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-45484 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Office SharePoint allows an authenticated network attacker to elevate privileges by submitting maliciously crafted serialized data that the server deserializes without proper validation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability combined with low attack complexity, though the PR:L requirement means the attacker must already hold at least a low-privileged SharePoint account. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Microsoft Deserialization Sharepoint Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-45504 HIGH PATCH This Week

Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.

Microsoft SSRF Exchange Server
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32193 HIGH PATCH NEWS This Week

Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path traversal flaw (CWE-22) that allows an authorized attacker on the local system to break out of restricted directory boundaries and execute code with elevated privileges. The CVSS 3.1 score of 8.8 reflects the scope change (S:C) where exploitation impacts resources beyond the vulnerable component, enabling full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

Microsoft Kubernetes Path Traversal Azure Kubernetes Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41098 HIGH PATCH Exploit Unlikely This Week

Stored or reflected cross-site scripting in Microsoft Azure Stack Edge enables an authenticated high-privileged attacker to inject malicious script into the management web interface, leading to spoofing attacks across a network with scope change to other components. With CVSS 8.4 reflecting high confidentiality, integrity, and availability impact plus required user interaction, successful exploitation could compromise adjacent Azure resources or administrative sessions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Microsoft
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-45482 HIGH PATCH Exploit Unlikely This Week

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker to escape a restricted directory and reach files or resources that should be inaccessible. The flaw is tracked under CWE-22 with a CVSS 3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N) reflecting high confidentiality, integrity, and availability impact from local exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Visual Studio Code
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-42835 HIGH PATCH Exploit Unlikely This Week

Information disclosure in Microsoft Teams for Android allows an authenticated remote attacker to extract sensitive data via an injection flaw (CWE-74) in output passed to a downstream component. The CVSS 8.1 rating reflects high confidentiality and availability impact over the network with low privileges and no user interaction, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Google Microsoft Teams
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40376 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attackers to elevate privileges over a network by exploiting improper input validation (CWE-20). Microsoft has released a patched build (1.119.1) and SSVC rates technical impact as total, though EPSS remains low at 0.09% with no public exploit identified at time of analysis.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45644 HIGH PATCH Exploit Unlikely This Week

Privilege elevation via stored or reflected cross-site scripting in Microsoft Live Share Canvas SDK enables an authenticated attacker on the network to execute script in another user's browser context and gain elevated permissions within collaborative Live Share sessions. The CVSS 8.0 vector reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires both low-level authentication and user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Microsoft Live Share Canvas
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-47298 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Office SharePoint enables an authenticated attacker with low privileges to execute arbitrary code over the network when a victim user is induced to perform an action. The flaw stems from an improper authorization check (CWE-285) that fails to enforce expected access boundaries, yielding full confidentiality, integrity, and availability impact (CVSS 8.0). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Microsoft Sharepoint Server
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-45782 HIGH PATCH This Week

Use-after-free in Cloud Hypervisor versions 21.0 through 51.1 allows a malicious guest VM to corrupt host memory in the cloud-hypervisor VMM process by racing duplicate virtio-block descriptor chains against the host's asynchronous I/O completion path. The flaw carries a CVSS 4.0 score of 8.9 with high impact on both the affected VMM and subsequent system scope, indicating a credible VM escape primitive. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Use After Free Memory Corruption Suse
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-36723 HIGH This Week

Remote code execution in BookCars v8.3 is achievable by authenticated attackers who abuse a path traversal flaw in the /api/create-user endpoint to rename and relocate files from temporary storage to attacker-chosen filesystem paths. The flaw is tagged as Authentication Bypass, Path Traversal, and RCE, and a public write-up exists in a third-party GitHub repository, though it is not listed in CISA KEV and EPSS is low at 0.17% (38th percentile).

RCE Path Traversal Authentication Bypass N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-45591 HIGH PATCH GHSA Exploit Unlikely This Week

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disrupt application availability. The CVSS 7.5 score reflects high availability impact with low attack complexity and no required privileges or user interaction, though no public exploit identified at time of analysis. Microsoft (secure@microsoft.com) is the reporting source via MSRC, indicating a vendor-coordinated disclosure.

Denial Of Service Asp Net Core Visual Studio 2026 Net
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2026-47292 HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Visual Studio Code
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-45447 HIGH PATCH This Week

Heap use-after-free in OpenSSL's PKCS7_verify() function affects multiple supported branches (1.0.2, 1.1.1, 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0) and is fixed in OpenSSL 4.0.1. Authenticated remote attackers able to submit crafted PKCS#7 signed data to a vulnerable application can trigger memory corruption leading to high-impact compromise of confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis; EPSS is low (0.12%, 30th percentile) and CISA SSVC reports no observed exploitation, though the flaw is rated automatable with total technical impact.

OpenSSL Information Disclosure Use After Free Memory Corruption
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-45648 HIGH PATCH NEWS This Week

Remote code execution in Microsoft Active Directory Domain Services allows an authenticated network attacker to trigger a stack-based buffer overflow (CWE-121) and execute arbitrary code on the targeted domain controller. With CVSS 8.8 (AV:N/AC:L/PR:L/UI:N) and high impact across confidentiality, integrity, and availability, successful exploitation could enable full domain compromise. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Stack Overflow Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11688 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page that abuses an inappropriate SVG implementation. Google rates the underlying Chromium issue as High severity, and no public exploit identified at time of analysis, though the user-interaction requirement (UI:R) and high CVSS of 8.8 make this a meaningful drive-by browsing risk once a patch is reverse-engineered.

Code Injection Google RCE Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11662 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw stems from a type confusion bug in Chromium's Bindings layer (CWE-843), rated High severity by Chromium and CVSS 8.8 due to network-based exploitation requiring only user interaction. No public exploit identified at time of analysis and EPSS data was not provided, but Chromium V8/bindings issues historically attract exploit development.

Google Memory Corruption RCE Red Hat Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11680 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 allows attackers to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page, triggering a use-after-free condition in the Media component. The flaw carries a CVSS 8.8 (High) rating and is tagged by Chromium as High severity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Microsoft +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11674 HIGH PATCH This Week

Remote code execution in Google Chrome's Guest View component prior to version 149.0.7827.103 allows attackers to execute arbitrary code within the renderer sandbox by luring users to a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium with a CVSS of 8.8, and while no public exploit has been identified at time of analysis, Google has shipped a patched stable channel build. Exploitation requires user interaction (visiting a malicious page) and code execution is confined to the sandbox, meaning a sandbox escape would be needed for full host compromise.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11673 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the InterestGroups component, enabling a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. The vulnerability carries a CVSS 8.8 (High) score and is rated High severity by Chromium, but no public exploit identified at time of analysis and SSVC indicates exploitation status of none. Attack requires user interaction (visiting a malicious page) but no authentication.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11670 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the PDF component, enabling a remote attacker who lures a user into opening a crafted PDF to execute arbitrary code within the renderer sandbox. Rated High by Chromium with CVSS 8.8, the issue requires user interaction but no authentication, and currently has no public exploit identified at time of analysis.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11657 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 stems from a use-after-free flaw in the Payments component, allowing a remote attacker to run arbitrary code in the renderer process via a crafted HTML page. The issue carries a CVSS 8.8 (High) rating and was reported through Google's internal Chrome security process; no public exploit identified at time of analysis. Exploitation requires the victim to load attacker-controlled web content (UI:R), but no authentication or special privileges are needed.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11650 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium and carries a CVSS 8.8 score; no public exploit identified at time of analysis, but V8 UAF bugs are historically high-value targets for exploit chains.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11649 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.103 allows attackers to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS 8.8 score reflecting low attack complexity but requiring user interaction. No public exploit identified at time of analysis, though V8 use-after-frees historically attract rapid weaponization for browser exploit chains.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11646 HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free condition in the ViewTransitions component, allowing a remote attacker to execute arbitrary code within the browser's renderer sandbox by serving a crafted HTML page. Google rates the Chromium security severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV.

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11637 HIGH PATCH This Week

Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 stems from a use-after-free flaw in the Views UI component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Google rates the underlying Chromium severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis. The CVSS 8.8 score reflects network-reachable exploitation with low complexity but requiring user interaction (visiting the malicious page).

Google Memory Corruption RCE Use After Free Denial Of Service +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy