Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthenticated attackers coerce the server into making arbitrary outbound requests when the adminCenter-1.0 feature is enabled. Reported by IBM PSIRT with a CVSS 3.1 base score of 9.8, the flaw carries no public exploit identified at time of analysis; EPSS is low at 0.21% (12th percentile) and CISA SSVC records exploitation status as none. The adminCenter-1.0 administrative console feature is the specific attack surface, so exposure is limited to Liberty instances that enable it.
Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux, fixed in 150.0.7871.47, lets a remote attacker corrupt memory via crafted network traffic and potentially run arbitrary code. The flaw is a CWE-416 use-after-free reported by Google's internal Chrome security team; there is no public exploit identified at time of analysis and it is not in CISA KEV. Note a signal conflict: NVD scores this 9.8 (Critical) while Chromium itself rated the security severity 'Low', and EPSS is only 0.20% (10th percentile).
Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthenticated attackers coerce the server into issuing crafted requests to internal or external systems when the optional apiDiscovery-1.0 feature is enabled. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N), reflecting network-reachable, no-privilege exploitation, though no public exploit is identified at time of analysis and EPSS is low at 0.19% (8th percentile). CISA SSVC scores exploitation as none and non-automatable, indicating no observed weaponization yet.
Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.
Blind SQL injection in Eksagate SYSGUARD 6001 (versions 2.0.2 up to but not including 6.1.16.0) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input, enabling extraction or manipulation of backend database contents. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) rates it 9.8 Critical with full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued for affected branches.
SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Denial of service in Citrix NetScaler ADC and NetScaler Gateway allows remote attackers to crash or render unresponsive the appliance by sending malformed HTTP/2 requests, but only when HTTP/2 is enabled in the HTTP Profile and bound to an LB, CS, or VPN virtual server or service. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss, exploitable over the network without authentication or user interaction. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Type Confusion in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 stems from a heap buffer overflow in the Chromecast component, letting an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6, but it is a second-stage bug requiring prior renderer control, and there is no public exploit identified at time of analysis (SSVC exploitation: none, EPSS 0.22%). No CISA KEV listing exists, indicating no confirmed active exploitation.
Sandbox escape in Google Chrome on macOS before 150.0.7871.47 stems from a use-after-free in the browser's Bluetooth component, letting a remote attacker who lures a user into specific UI gestures on a crafted HTML page corrupt memory and break out of the renderer sandbox. Rated Critical by Chromium and CVSS 9.6, though no public exploit has been identified and EPSS is low (0.22%, 13th percentile). A vendor fix is available and CISA SSVC currently marks exploitation as 'none'.
Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.
Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).
Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who already controls a compromised renderer process break out of the browser sandbox through insufficient policy enforcement in the Web Serial API, using a crafted HTML page. Google rated the underlying Chromium bug Medium severity even though NVD assigns a 9.6 CVSS due to the scope-changing impact. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.22%, 12th percentile).
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Sandbox escape in Google Chrome on Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page that abuses insufficient input validation in the Media component. Google rates the Chromium security severity as Medium and a fix is shipped in the stable channel, but no public exploit has been identified and EPSS exploitation probability is low at 0.21%. The high 9.6 CVSS reflects the total system compromise possible once chained, not standalone exploitability.
Sandbox escape in Google Chrome DevTools before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, stemming from insufficient policy enforcement (CWE-693). NVD scores this 9.6 with a scope-change vector, though Google rates the Chromium severity only Medium and it is a second-stage bug requiring prior renderer compromise. No public exploit has been identified at time of analysis and EPSS is low (0.21%), consistent with a chained rather than standalone threat.
Race in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.
Sandbox escape in Google Chrome before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page, exploiting a use-after-free (CWE-416) in the Core component. Google-assigned Chromium severity is Medium, though the NVD CVSS is 9.6 due to the cross-boundary scope change. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile), indicating it is not yet a mass-exploitation target.
Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Sandbox escape in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in Ozone, Chrome's platform abstraction layer for windowing and graphics. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of the browser sandbox and gain code execution at the higher-privileged browser-process level. There is no public exploit identified at time of analysis, and the EPSS score is low (0.21%, 11th percentile), consistent with a second-stage bug that requires a prior renderer compromise rather than a directly weaponizable single-shot flaw.
Sandbox escape in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Journeys (browsing history) component, allowing a remote attacker who has already compromised the renderer process to break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Rated High severity by Chromium and CVSS 9.6, a fix is available from vendor; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile). Exploitation is meaningful only as the second stage of a chain, since it presupposes prior renderer compromise.
Sandbox escape in Google Chrome for macOS before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by exploiting a use-after-free in the USB subsystem via a crafted HTML page. Rated High by Chromium and CVSS 9.6, it functions as a second-stage escalation primitive rather than a standalone entry point. There is no public exploit identified at time of analysis, and EPSS is low at 0.21% (11th percentile).
Insufficient validation of untrusted input in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome's Chromecast component before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to the more privileged browser process. Google rates the Chromium severity High and the CVSS is 9.6 due to the scope change; however, EPSS is only 0.21% (11th percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.
Sandbox escape in Google Chrome for macOS versions prior to 150.0.7871.47 stems from a use-after-free in the Touchbar component, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Reported through Google's internal Chrome security process and rated High by Chromium, it carries a CVSS 9.6 due to scope change and full CIA impact, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.21%. SSVC assesses current exploitation as none, indicating this is a patch-now-but-not-panic item.
Sandbox escape in Google Chrome's GPU process (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6 due to a scope-changing (S:C) full-impact outcome, this is a use-after-free (CWE-416) memory-corruption bug. No public exploit identified at time of analysis; EPSS is low (0.21%, 11th percentile) and CISA SSVC lists exploitation as none, so it is a serious-but-not-yet-exploited patch priority.
Cross-tenant credential confusion in IBM Langflow OSS 1.0.0 through 1.10.0 lets an authenticated user manipulate the voice-mode shared cache so that other tenants' requests are processed with the wrong upstream API credentials, causing billing and accountability to be misattributed across tenant boundaries. The flaw (CWE-639) requires only low-privilege authentication and is rated critical (CVSS 9.6) because a scope change extends the impact to other users and upstream services. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Grav CMS before 2.0.0-beta.2 stems from three distinct flaw classes: PHP object injection via unsafe unserialize() of attacker-controllable data in the Scheduler JobQueue, FileCache adapter, and Session components, an OS command injection in the plugin/theme InstallCommand git clone routine, and a Twig sandbox blocklist bypass enabling server-side template injection. An attacker who can influence the serialized input can chain available gadgets to run arbitrary PHP, while the command-injection path is reachable by authenticated administrators through plugin/theme installation. No public exploit identified at time of analysis; the issues were privately reported by VulnCheck and are fixed in 2.0.0-beta.2.
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Sandbox escape in Google Chrome for Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process abuse a use-after-free in the Updater component via a crafted HTML page to break out of the browser sandbox. It is a second-stage bug that Chromium rated only Low severity despite the CVSS 9.6 score, with no public exploit identified at time of analysis and a low EPSS probability of 0.18% (8th percentile). Google has shipped a fixed Stable-channel build.
Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who has already compromised the renderer process bypass Mojo IPC policy enforcement and break out of the sandbox using a crafted HTML page. This is a second-stage flaw in the Mojo inter-process communication layer rather than an initial-access bug, and Google itself rated the Chromium security severity as Low despite the NVD CVSS of 9.6. No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).
Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Sandbox escape in Google Chrome on macOS before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox through a crafted HTML page. The root cause is insufficient policy enforcement in Chrome's macOS sandbox (CWE-693). No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile); Google's own Chromium security team rated the severity 'Low', which conflicts sharply with the CVSS 9.6 assigned by NVD.
Sandbox escape in Google Chrome on macOS prior to 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the WebAppInstalls component. Chromium rated the underlying issue Low severity even though the CVSS base score is 9.6, and there is no public exploit identified at time of analysis; EPSS is 0.17% (7th percentile). The vulnerability is a second-stage primitive that requires prior renderer code execution, not a standalone drive-by.
Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and gain code execution on the host via a crafted HTML page. The flaw stems from insufficient policy enforcement in the browser process (CWE-20) and, while carrying a high CVSS base score of 9.6 due to the scope change, was rated only Low severity by Chromium because it is not independently exploitable. No public exploit has been identified and EPSS probability is very low (0.17%, 7th percentile).
Sandbox escape in Google Chrome's Cast component (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416) memory-corruption bug. Google's Chromium team rated the security severity as Low, and while NVD assigns a 9.6 CVSS reflecting full sandbox-escape impact, exploitation is gated behind a pre-existing renderer compromise. No public exploit was identified at time of analysis, EPSS is very low at 0.17% (7th percentile), and there is no CISA KEV listing.
Sandbox escape in Google Chrome on Windows prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by feeding crafted input to the Device Trust component via a malicious HTML page. NVD scores this 9.6 (Critical) while Google rates the Chromium security severity as Low, and there is no public exploit identified at time of analysis. EPSS is very low at 0.17% (7th percentile), and it is not listed in CISA KEV.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) and is second-stage: it is not directly exploitable from the open web without a prior renderer compromise. No public exploit has been identified at time of analysis, and its EPSS exploitation probability is low (0.17%, 7th percentile); notably, Google rated the Chromium security severity as Low despite the NVD CVSS of 9.6.
Sandbox escape in Google Chrome's GetUserMedia (media capture) implementation before version 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own security team; despite an NVD CVSS of 9.6, Chromium rates its severity Low, and there is no public exploit identified at time of analysis with an EPSS of only 0.17% (7th percentile).
Sandbox escape in Google Chrome's GPU process before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page. The flaw is a protection-mechanism failure (CWE-693) that Google patched in the June 2026 Stable channel update; Chromium rated its intrinsic severity Low because it is only useful as the second link in an exploit chain, and no public exploit has been identified at time of analysis. EPSS probability is low (0.17%, 7th percentile), consistent with a chained bug rather than a mass-exploitable entry point.
Sandbox escape in Google Chrome's Navigation component before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated Medium by Chromium but carries a 9.6 CVSS due to the scope-changing sandbox breach; EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis, indicating it is realistically a second-stage link in an exploit chain rather than a standalone remote-code path.
Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the renderer sandbox via a crafted HTML page. The flaw is a CWE-787 out-of-bounds read and write; Google's own Chromium team rated the security severity as Low, and there is no public exploit identified at time of analysis. EPSS estimates only a 0.17% (7th percentile) chance of exploitation, and the vulnerability is not listed in CISA KEV.
Sandbox escape in Google Chrome's Media component before version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to break out of the sandbox using a crafted video file. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a scope-changing CVSS 3.1 score of 9.6, though Google rated the underlying Chromium severity as Low and no public exploit has been identified at time of analysis. EPSS is low at 0.16% (6th percentile), and it is not listed in CISA KEV.
SAML assertion replay in Rancher's Assertion Consumer Service (ACS) handler lets a person-in-the-middle who captures a victim's SAML response reuse that assertion to authenticate as the victim, because the handler never enforces one-time use. Rancher 2.14.0 through 2.14.2 are affected, and because Rancher governs downstream Kubernetes clusters, a successful replay can yield administrative control. No public exploit identified at time of analysis; the issue is not on the CISA KEV list, and the carried CVSS 4.0 base score is 9.5 driven largely by the scope/subsequent-system impact.
Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.
Remote code execution in txtai through 9.10.0 lets a remote attacker reach the API /reindex endpoint and supply an arbitrary dotted callable (for example subprocess.getoutput) that the server imports and invokes during reindexing, running commands as the server process. The flaw is exploitable only when the API is network-exposed with no TOKEN set (so all endpoints are unauthenticated) and the index is writable - not the default posture. No public exploit has been identified at time of analysis, but the issue carries a high CVSS 4.0 base score of 9.3 and was reported by VulnCheck.