Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
Heap corruption in Google Chrome's Views UI framework on macOS (versions before 150.0.7871.47) lets a remote attacker who lures a victim to a crafted HTML page and coaxes them into specific UI gestures trigger a use-after-free, potentially achieving code execution in the renderer. Google rates the Chromium severity as Low, but the NVD CVSS is 8.8 (High), and no public exploit has been identified at time of analysis. EPSS is low at 0.21% (11th percentile), and the flaw is not in CISA KEV.
Use-after-free in Google Chrome's Ozone component on Linux prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and inducing specific UI gestures. Rated CVSS 8.8 with high confidentiality, integrity and availability impact, it is patched in the stable channel but requires user interaction (UI:R). No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile), and Google classifies the Chromium severity as Medium.
Integer overflow in Fonts in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)
Insufficient validation of untrusted input in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Heap corruption in Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a user through specific in-page UI gestures on a crafted HTML page trigger a use-after-free (CWE-416), potentially leading to arbitrary code execution in the renderer. Rated Medium by the Chromium security team but scored CVSS 8.8 due to full confidentiality/integrity/availability impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.21% (11th percentile), consistent with a freshly patched browser bug that has no known weaponization.
Insufficient policy enforcement in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome versions prior to 150.0.7871.47 stems from insufficient input validation in the Glic component, allowing a remote attacker who lures a victim to a crafted HTML page to potentially break out of the renderer sandbox. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page); there is no public exploit identified at time of analysis and EPSS estimates only a 0.21% exploitation probability. A vendor patch is available and the issue is not listed in CISA KEV.
Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.
Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Heap corruption in Google Chrome's WebNN (Web Neural Network API) implementation on Windows, fixed in 150.0.7871.47, lets an attacker who has already compromised the renderer process trigger a heap buffer overflow via a crafted HTML page and potentially escalate beyond the sandbox. Chromium's own security team rated this Low severity, while NVD scores it 8.8; EPSS is low at 0.19% (9th percentile) and there is no public exploit identified at time of analysis. It is not listed in CISA KEV and SSVC records exploitation status as none.
Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)
Heap corruption via use-after-free in Google Chrome's Passwords component affects all desktop builds prior to 150.0.7871.47, letting a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption and code execution in the renderer. The CVSS 3.1 vector (8.8) requires user interaction (visiting the page) but no privileges or authentication. No public exploit identified at time of analysis, and the low EPSS score (0.17%, 7th percentile) plus Chromium's own 'Low' severity rating suggest limited real-world exploitation likelihood despite the high CVSS.
Privilege escalation in Google Chrome's WebRTC component (versions prior to 150.0.7871.47) allows a remote attacker to escape normal renderer restrictions when a victim opens a crafted HTML page, per the CVSS vector achieving high confidentiality, integrity, and availability impact. Exploitation requires user interaction (visiting a malicious page) but no prior authentication. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 7th percentile); notably, Google/Chromium rated this 'Low' severity while the NVD CVSS is 8.8 (High), a discrepancy defenders should weigh.
Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Serial (Web Serial API) component, allowing a remote attacker who lures a victim to a crafted HTML page to escalate privileges within the browser. Note the signal conflict: NVD scores this 8.8 (High) with high confidentiality/integrity/availability impact, yet Chromium's own triage rates the security severity as Low. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS is very low at 0.17% (7th percentile).
Privilege escalation in Google Chrome desktop before 150.0.7871.47 stems from insufficient policy enforcement in the Bluetooth subsystem, letting a remote attacker who lures a victim to a crafted HTML page cross a security boundary the browser is supposed to guard. Google's Chrome release channel and the NVD-assigned CVSS 3.1 base score of 8.8 (High) diverge from Chromium's own internal 'Low' severity rating, signaling the practical impact is likely narrower than the raw score implies. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.17% (7th percentile), consistent with no active exploitation reported.
Use-after-free in Google Chrome's SignIn component (versions prior to 150.0.7871.47) allows a remote attacker to trigger heap corruption and potentially achieve code execution after luring a victim to a crafted HTML page and performing specific UI gestures. No public exploit was identified at time of analysis, and with an EPSS of 0.17% (7th percentile) and Chromium-rated 'Low' severity, near-term mass exploitation appears unlikely despite the high 8.8 CVSS. The flaw is patched in the current stable channel and is not listed in CISA KEV.
Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Heap corruption in the Chromoting (Chrome Remote Desktop) component of Google Chrome before 150.0.7871.47 lets a remote attacker deliver malicious network traffic to a victim's active remote session, potentially corrupting heap memory and enabling arbitrary code execution in the browser process. All desktop Chrome installs using Chrome Remote Desktop below the fixed build are affected. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation as none; EPSS is low at 0.16% (6th percentile), so this is a patch-during-normal-cycle item rather than an emergency.
Heap-based integer overflow in Google Chrome's Chromecast component allows an adjacent-network attacker to achieve arbitrary code execution against browsers running versions prior to 150.0.7871.47. The flaw is reachable via crafted malicious network traffic and carries a high CVSS of 8.8; Google has shipped a stable-channel fix, and no public exploit has been identified at time of analysis. Chromium rates the underlying issue as Medium severity despite the high CVSS, reflecting the adjacency and interaction constraints.
Sandboxed arbitrary code execution in Google Chrome for iOS before 150.0.7871.47 lets an attacker who convinces a user to open a malicious file run code inside the browser's sandbox due to insufficient validation of untrusted input. Google rates the Chromium severity High and ships the fix in 150.0.7871.47; EPSS is low (0.15%, 4th percentile) and there is no public exploit identified at time of analysis. The flaw requires user interaction (opening the file) and, per the description, the resulting execution is confined to the sandbox rather than the underlying OS.
Heap corruption in Google Chrome's BrowserTag component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by a crafted Chrome extension. An attacker who convinces a victim to install a malicious extension can potentially exploit the freed-memory condition to corrupt the heap and execute code. No public exploit identified at time of analysis, and EPSS is low (0.12%, 2nd percentile), consistent with the Chromium team's own 'Low' severity rating despite the NVD CVSS of 8.8.
{id} action yet executed by the restrictive /users list handler. No public exploit identified at time of analysis, but the technique is fully described in the AWS/GitHub advisory and trivially reproducible.
Authenticated command injection in Coolify's CA Certificate management feature (all versions prior to 4.0.0-beta.464) lets any logged-in user inject arbitrary OS commands that execute as the configured SSH user on a managed server. Because Coolify requires that SSH user to be root or a docker-group member, successful exploitation yields full compromise of the managed host and every Docker container it runs. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a high-priority patch for any multi-user Coolify instance.
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a path-traversal flaw in the builder upload proxy to reach internal administrative endpoints. By appending traversal sequences to the upload path - which the WHATWG URL parser normalizes - an attacker pivots requests carrying the privileged BUILDER_API_KEY header, turning limited build access into SSRF and elevated server-side privileges. Reported by VulnCheck with a CVSS 4.0 score of 8.7; no public exploit identified at time of analysis.
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse two SECURITY DEFINER RPC functions, get_user_id and get_org_perm_for_apikey, reachable with only the public/anon API key. Attackers can confirm whether a leaked API key is valid, resolve user UUIDs, and read the permission level tied to a key, turning otherwise-uncertain credential leaks into actionable, scoped targets. CVSS 4.0 is 8.7 (High); there is no public exploit identified at time of analysis and it is not in CISA KEV.
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindings and member email addresses through the public.get_org_user_access_rbac PostgREST RPC endpoint. An improper NULL comparison in the authorization gate fails open, so anyone holding only a public API key can enumerate org membership, assigned roles, and emails. No public exploit has been identified at time of analysis, and the flaw discloses data only (no integrity or availability impact), but the CVSS 4.0 score of 8.7 reflects easy, unauthenticated, network-reachable confidentiality loss.
Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding the GROUP_EDIT right elevate to full administrative control. Because GroupController::updatePermissions never verifies that the caller already possesses the permissions being assigned, a low-privileged admin can grant high-value rights to a group they belong to and inherit those rights. The flaw was reported by VulnCheck; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited API key by supplying its identifier in the client-controlled x-limited-key-id header, which middlewareKey() trusts without checking ownership. Any low-privilege account can therefore read and act on resources belonging to other tenants across multiple API endpoints. No public exploit identified at time of analysis, though the flaw is trivially reproducible once the key-ID format is known.
Privilege escalation in Capgo before 12.128.2 lets an authenticated org admin assign org-scoped RBAC roles at the narrower app scope without any validation of scope compatibility, and to do so even for pending (not-yet-accepted) invitees. Because these malformed high-privilege bindings persist through invite acceptance, a nominally low-privilege user who accepts the invite gains unauthorized privileged app-level actions. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
{} literals. No public exploit identified at time of analysis, but the high CVSS (8.6) and trivial exploitation make this a priority for affected deployments.
Server-Side Request Forgery in Sigstore Fulcio (before v1.8.6) lets a compromised or malicious OIDC issuer redirect the OIDC Discovery client's metadata fetches to attacker-chosen hosts, enabling blind SSRF against internal systems, poisoning of the verifier cache via a substituted jwks_uri so forged signatures validate, and leakage of the in-cluster Kubernetes ServiceAccount token to third-party hosts. Unauthenticated remote attackers who control a configured (or wildcard-matched) issuer can chain these into trust compromise of the certificate authority. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Information disclosure in Advantech Hospital Queuing Management allows unauthenticated remote attackers to retrieve internal API documentation by requesting a specific URL, exposing the application's API surface, endpoints, and parameters. The flaw carries a high CVSS 4.0 base score of 8.7 driven entirely by confidentiality impact, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The leaked documentation primarily serves as reconnaissance that lowers the barrier to attacking other endpoints of this healthcare queuing platform.
Denial of service (and a 1-byte out-of-bounds read) in GNOME GLib before 2.88.1 arises from an off-by-one error in g_key_file_get_locale_string_list() in gkeyfile.c when a parsed key file contains an empty value. Any application built on GLib that loads attacker-influenced .desktop/.ini-style key files can be crashed if the over-read crosses a page boundary, with a minor information-disclosure component from the single out-of-bounds byte. Publicly available exploit code exists (SSVC 'poc'), but it is not on CISA KEV and EPSS is low (0.24%, 15th percentile), indicating no evidence of widespread active exploitation.
Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Server-Side Request Forgery in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote, unauthenticated attacker coerce the server into issuing crafted requests, bypassing intended security controls to gain unauthorized read access to otherwise protected resources. Because the CVSS scope is changed (S:C) and confidentiality impact is High, the attacker can reach internal systems or restricted endpoints beyond ColdFusion's own boundary without any user interaction. No public exploit identified at time of analysis, and this CVE is not on CISA KEV.
Remote code execution in Redeight CMS 1.0 lets an authenticated attacker upload arbitrary PHP scripts through the admin Pages module's FileAdd endpoint, which performs no extension or MIME-type validation. The uploaded file lands in the web-accessible /uploads/files/ directory and is executed directly by the web server, yielding full server-side code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.3 lets an authenticated flow-author bypass the API Request component's SSRF protections by toggling the follow_redirects parameter and pointing it at a benign public URL that redirects to internal or localhost targets. Because only the initial URL is validated and redirect destinations are not re-checked, attackers can pivot to cloud metadata services, localhost endpoints, and private-network HTTP services to exfiltrate credentials, tokens, and admin-panel data. No public exploit identified at time of analysis; risk is driven by the CVSS 8.5 rating and the high value of cloud-metadata SSRF targets rather than confirmed in-the-wild use.
Arbitrary OS command execution in RPG Maker MV and MZ (Gotcha Gotcha Games) is triggered when a victim loads a maliciously crafted save-file, allowing an attacker to run commands with the privileges of the game process. The flaw is a classic OS command injection (CWE-78) reported through JPCERT/JVN; no public exploit has been identified at time of analysis and it is not in CISA KEV. Because exploitation is local and requires the user to load attacker-supplied data, impact hinges on social-engineering victims into opening untrusted saves.
Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. Rated CVSS 8.5 (CWE-20); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation to root in LinuxCNC (linuxcnc-uspace) before 2.9.9 lets any unprivileged local user execute arbitrary code as root. The SUID-root rtapi_app helper accepts a user-supplied module name and passes it to dlopen() without sufficient validation, so path traversal lets an attacker load an arbitrary attacker-controlled shared library while the process is still privileged. No public exploit identified at time of analysis and the issue is not in CISA KEV; an upstream fix is available in version 2.9.9.
Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process escalate out of the sandbox via a crafted HTML page that triggers a type-confusion bug (CWE-843) in the Tabs component. Exploitation is gated behind prior renderer compromise and user interaction, and the flaw is rated High by Chromium with a CVSS 8.3 due to scope change and total impact. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC lists exploitation as none.
Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the renderer sandbox by abusing insufficient policy enforcement in the browser's USB (WebUSB) handling, delivered through a crafted HTML page. The flaw is rated Medium by Chromium but carries a high CVSS (8.3) due to the scope change from renderer to browser process; EPSS is low (0.21%, 11th percentile) and there is no public exploit identified at time of analysis. A vendor patch is available in the June 2026 Stable channel update.
Integer overflow in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome's Headless component (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page. Rated High by Chromium and CVSS 8.3, it is a CWE-416 use-after-free with no public exploit identified at time of analysis; EPSS is low at 0.21% (11th percentile) and CISA SSVC records no known exploitation.
Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)