Skip to main content
CVE-2026-13962 MEDIUM PATCH This Month

Insufficient data validation in PDF in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13953 MEDIUM PATCH This Month

Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13930 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to version 150.0.7871.47 enables remote attackers to circumvent browser policy enforcement via a crafted HTML page targeting the 'Actor' component. The flaw is rooted in CWE-602 (Client-Side Enforcement of Server-Side Security), where controls that should be authoritative are applied within the browser and can be subverted by an adversary-controlled page. EPSS at 0.22% (13th percentile) indicates low current exploitation probability, no public exploit code has been identified, and the vulnerability is not listed in CISA KEV; no public exploit identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13926 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent Chrome's network navigation controls via a crafted HTML page. The vulnerability stems from CWE-20 (Improper Input Validation) in Chrome's Network component, producing a high-integrity impact with no confidentiality or availability loss. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (13th percentile) places exploitation likelihood well below the median, though the pre-compromised renderer prerequisite makes this a chained attack vector relevant primarily within multi-stage browser exploitation chains.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13924 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's WebView component on Android enables a remote attacker who has already compromised the renderer process to perform cross-origin integrity violations by serving a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. This is explicitly a chained attack requiring a pre-existing renderer compromise, making it a second-stage exploit rather than a standalone entry point. No public exploit code exists and no public exploitation has been confirmed at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13921 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials component allows remote attackers to violate cross-origin isolation guarantees via a crafted HTML page. Affected are all Chrome desktop releases prior to 150.0.7871.47 on all supported platforms. Exploitation requires user interaction (visiting an attacker-controlled page) and yields high integrity impact - enabling cross-origin state manipulation - with no confidentiality or availability consequence. No active exploitation is confirmed (not in CISA KEV), EPSS is low at 0.22% (13th percentile), and SSVC rates exploitation as none with partial technical impact; a vendor patch is available.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13919 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to circumvent extension policy enforcement and escape site isolation boundaries via a crafted HTML page. The root cause (CWE-602) is client-side enforcement of security policies in the Extensions subsystem that can be subverted once the renderer is under attacker control. No active exploitation has been confirmed - EPSS is 0.22% (13th percentile), SSVC rates exploitation as none and the attack as non-automatable - and a vendor-released patch is available in Chrome 150.0.7871.47.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13917 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) allows a remote attacker to subvert browser-enforced navigation controls by luring a user into performing specific UI gestures on a crafted HTML page. Classified as CWE-20 (Improper Input Validation), the flaw undermines integrity by permitting unauthorized navigation that the browser is intended to block. No public exploit code exists and EPSS sits at 0.22% (13th percentile), indicating low observed exploitation probability; the vulnerability is not listed in CISA KEV.

Authentication Bypass Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13896 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Glic feature (versions prior to 150.0.7871.47) enables remote attackers to circumvent policy enforcement controls by delivering a crafted HTML page that triggers insufficient validation logic. The flaw maps to CWE-602, meaning security enforcement intended to be authoritative is implemented client-side in a bypassable manner, resulting in high integrity impact with no confidentiality or availability consequence. No public exploit or active exploitation has been identified at time of analysis, and EPSS at 0.22% (13th percentile) reflects low current exploitation probability.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13886 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome's Isolated Web Apps (IWA) subsystem allows remote attackers to circumvent enforcement mechanisms via a specially crafted HTML page, resulting in high-integrity impact with no confidentiality or availability consequence. Affected versions are all Chrome releases prior to 150.0.7871.47. User interaction is required - the victim must visit the attacker-controlled page - and no public exploit or CISA KEV listing has been identified at time of analysis. The low EPSS score of 0.22% (13th percentile) reinforces that active exploitation is not currently observed.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13871 MEDIUM PATCH This Month

GuestView policy enforcement in Google Chrome prior to 150.0.7871.47 can be subverted by an attacker who has already achieved renderer process compromise, allowing site isolation to be bypassed via a crafted HTML page. The flaw (CWE-602: Client-Side Enforcement of Server-Side Security) enables manipulation of cross-origin content or policy in embedded browsing contexts that Chrome's site isolation architecture is designed to protect. No public exploit code has been identified and EPSS places exploitation probability at 0.22% (13th percentile), consistent with the elevated prerequisite of a prior renderer compromise required to trigger this vulnerability.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13868 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome on Android prior to 150.0.7871.47 enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to break cross-origin security boundaries using a crafted HTML page. The root cause is CWE-346 (Origin Validation Error) in Chrome's Android-specific network implementation, meaning the network layer fails to enforce origin checks when requests originate from a compromised renderer context. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.22% at the 13th percentile reflects the high chaining complexity required.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13866 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. No public exploit has been identified at time of analysis and EPSS sits at 0.22% (13th percentile), placing this firmly in the category of a meaningful escalation primitive rather than a standalone mass-exploitation risk.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13839 MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13838 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CSS implementation allows a remote, unauthenticated attacker to violate cross-origin integrity protections by luring a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. Google has released a patch; no active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.22% at the 13th percentile indicates low current exploitation probability.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13818 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. No public exploit exists at time of analysis and EPSS sits at 0.22% (13th percentile), indicating low near-term exploitation probability despite Chrome's enormous global footprint and Chromium's internal 'High' severity classification.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13795 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.

Authentication Bypass Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14103 MEDIUM PATCH This Month

Use-after-free in Chrome's SSL handling on ChromeOS exposes process memory contents to remote attackers who can serve a crafted HTML page. Only ChromeOS builds of Chrome prior to 150.0.7871.47 are affected - this is not a cross-platform flaw. SSVC rates exploitation status as none and technical impact as partial, and Chromium's own severity classification is Low, making this a routine patch-cycle priority rather than an emergency response item despite the CVSS 6.5 score.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14069 MEDIUM PATCH This Month

Integer overflow in the WebNN component of Google Chrome prior to 150.0.7871.47 allows an unauthenticated remote attacker to read potentially sensitive data from Chrome's process memory. Exploitation requires convincing a victim to visit a crafted HTML page, placing this in the class of user-interaction-dependent browser memory disclosure vulnerabilities. No public exploit code exists and CISA has not listed this in KEV; SSVC rates exploitation as 'none' and Chromium's own triage assigns 'Low' severity, suggesting the disclosed memory is constrained in practice.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13892 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for iOS prior to 150.0.7871.47 exposes sensitive information from other origins when a remote attacker convinces a victim to perform specific UI gestures on a crafted HTML page. The flaw stems from an inappropriate implementation in the iOS-specific Chrome browser layer, classified under CWE-451 (UI Misrepresentation), and enables confidentiality compromise without requiring attacker privileges. No public exploit code has been identified at time of analysis, and EPSS at 0.22% (12th percentile) signals low near-term automated exploitation risk.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13847 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14148 MEDIUM PATCH This Month

Type confusion in the CSS processing engine of Google Chrome prior to 150.0.7871.47 enables remote attackers to read potentially sensitive data from renderer process memory by delivering a crafted HTML page to a victim. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with no attacker privileges required, though a single user interaction - visiting the malicious page - is necessary. No public exploit code has been identified, CISA SSVC rates exploitation as none at time of analysis, and Chromium's own team classified severity as Low, suggesting limited practical memory disclosure value despite the NVD CVSS C:H rating.

Memory Corruption Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14061 MEDIUM PATCH This Month

Process memory disclosure in Google Chrome's Dawn WebGPU component (versions prior to 150.0.7871.47) enables remote attackers to read potentially sensitive data from the browser's process memory by luring a victim to a crafted HTML page. The flaw is categorized under CWE-284 (Improper Access Control) within the Dawn graphics abstraction layer, which underpins Chrome's WebGPU implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and Google's own Chromium security team rates the severity as Low despite the NVD CVSS score of 6.5.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14035 MEDIUM PATCH This Month

Insufficient Bluetooth policy enforcement in Google Chrome prior to 150.0.7871.47 allows remote attackers to read potentially sensitive data from browser process memory by luring a victim to a crafted HTML page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) scores 6.5 Medium at NVD, though Chromium's own severity rating is 'Low,' suggesting Chrome's sandbox architecture limits practical memory exposure. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13949 MEDIUM PATCH This Month

Insufficient policy enforcement in the Payments component of Google Chrome on Android prior to 150.0.7871.47 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a specially crafted HTML page, making this a user-interaction-dependent, network-delivered information disclosure. No active exploitation is confirmed (SSVC: Exploitation: none; not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the CVSS confidentiality impact is rated High due to the potential for process memory leakage.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14074 MEDIUM PATCH This Month

Side-channel information leakage in the WebAuthentication component of Google Chrome on iOS (prior to 150.0.7871.47) exposes cross-origin data to remote attackers via a crafted HTML page, requiring only that a victim visit attacker-controlled content. The CVSS Confidentiality:High rating reflects the category of cross-origin data exposure, while Chromium's own internal severity classification of Low and an EPSS score of 0.21% (11th percentile) both signal that practical exploitation is considered unlikely at scale. No public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14022 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Network component (versions prior to 150.0.7871.47) enables a remote attacker who has already achieved renderer process compromise to bypass same-origin policy protections and exfiltrate sensitive cross-origin data via a crafted HTML page. This vulnerability functions as a second-stage exploit primitive within a chain - it does not enable initial access but extends the impact of an existing renderer compromise. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.21% (11th percentile) reflects low observed exploitation activity.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14004 MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13985 MEDIUM PATCH This Month

UI spoofing via MediaCapture in Google Chrome prior to 150.0.7871.47 enables a remote attacker who has already compromised the renderer process to misrepresent browser UI through a crafted HTML page, potentially deceiving users into granting permissions or trusting malicious content. This is a chained exploitation technique - it requires a prior renderer compromise as a prerequisite - making it a post-exploitation integrity threat rather than an initial access vector. EPSS is 0.21% (11th percentile), no public exploit or CISA KEV listing exists at time of analysis, and Google has patched this in the stable channel update.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13937 MEDIUM PATCH This Month

Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13935 MEDIUM PATCH This Month

Side-channel information leakage in ComputePressure in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13932 MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's Sharing feature on Android exposes sensitive page content to remote attackers who have already compromised the renderer process, exploitable via a crafted HTML page. All Chrome for Android builds prior to 150.0.7871.47 are affected; the fixed release is confirmed by Google's stable channel advisory. EPSS of 0.21% (11th percentile) and absence from CISA KEV indicate negligible observed exploitation pressure at time of analysis, though the high confidentiality impact and ubiquitous deployment of Chrome on Android make patching a clear priority.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13931 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13922 MEDIUM PATCH This Month

Side-channel cross-origin data leakage in Google Chrome's Paint rendering component (all versions prior to 150.0.7871.47) allows remote attackers to infer sensitive content belonging to other origins by enticing a victim to visit a crafted HTML page. The vulnerability exploits a weakness in the Paint subsystem's rendering pipeline (CWE-1300: Improper Protection of Physical Side Channels), enabling an attacker page to observe rendering state or timing variations and reconstruct protected cross-origin data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; EPSS probability is low at 0.21% (11th percentile). Vendor-released patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13913 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Autofill subsystem on iOS (versions prior to 150.0.7871.47) enables remote attackers to read sensitive data across origin boundaries by luring victims into performing specific UI gestures on a crafted page. Rooted in CWE-346 (Origin Validation Error), the Autofill policy enforcement layer fails to maintain proper origin isolation under targeted interaction conditions. With an EPSS of 0.21% (11th percentile) and no CISA KEV listing, no public exploit identified at time of analysis, though the CVSS-rated High confidentiality impact warrants prompt patching given Chrome's broad iOS deployment footprint.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13910 MEDIUM PATCH This Month

Cross-origin data leakage in the WebXR implementation of Google Chrome on Android (versions prior to 150.0.7871.47) allows remote unauthenticated attackers to exfiltrate sensitive cross-origin information by enticing a victim to visit a crafted HTML page. The flaw is rooted in CWE-693 (Protection Mechanism Failure), where WebXR fails to enforce cross-origin isolation policies on Android specifically. No public exploit code has been identified and EPSS sits at 0.21% (11th percentile), indicating low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13887 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's NFC implementation on Android exposes sensitive information to attackers who have already compromised the renderer process. Chrome versions prior to 150.0.7871.47 on Android fail to properly validate origins when handling NFC interactions, allowing a renderer-level attacker to read data across origin boundaries via a crafted HTML page. No public exploit or CISA KEV listing exists at time of analysis, and EPSS sits at the 11th percentile, indicating low observed exploitation probability despite the theoretical confidentiality impact.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13840 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Canvas component prior to version 150.0.7871.47 exposes sensitive cross-origin content to remote attackers via a crafted HTML page. The flaw bypasses Same-Origin Policy protections enforced at the Canvas API layer, enabling pixel-level or structured data extraction from cross-origin resources rendered in a canvas context. With CVSS 6.5, EPSS at 0.21% (11th percentile), and no CISA KEV listing or public exploit identified at time of analysis, real-world exploitation is low-probability but credible given the zero-privilege, network-accessible attack path requiring only a single user visit.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13826 MEDIUM PATCH This Month

Cross-origin data leakage via Chrome's Autofill implementation on Android allows a remote attacker with prior renderer process compromise to extract sensitive data across origin boundaries using a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. No public exploit code has been identified and the EPSS score of 0.21% (11th percentile) reflects low observed exploitation activity; however, the cross-origin data exposure (CWE-346) combined with Autofill access creates meaningful privacy risk for users on vulnerable Android builds. Google has released a patch in the stable channel update.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13820 MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13816 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for Android prior to 150.0.7871.47 enables remote attackers to read data from other origins via a crafted HTML page exploiting insufficient validation in the File Input component. The flaw is Android-platform-specific, requiring only that a victim user navigate to an attacker-controlled page. No active exploitation has been confirmed (CISA KEV negative, SSVC exploitation: none), and EPSS at 0.21% (11th percentile) reflects low current exploitation interest, though the unauthenticated, low-complexity attack vector keeps it a relevant patching priority for Android Chrome deployments.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13809 MEDIUM PATCH This Month

Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13793 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13790 MEDIUM PATCH This Month

Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13908 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Omnibox on iOS (prior to 150.0.7871.47) enables a remote attacker to circumvent address bar security controls through insufficient input validation, contingent on user interaction with specific UI gestures during exposure to malicious network traffic. The integrity impact is rated High (I:H) with no confidentiality or availability impact, consistent with a content/navigation spoofing class of vulnerability. No public exploit code or CISA KEV listing has been identified; EPSS score of 0.20% (10th percentile) indicates low observed exploitation probability at time of analysis.

Authentication Bypass Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14146 MEDIUM PATCH This Month

Cross-origin data leak in Google Chrome's CSS implementation (versions prior to 150.0.7871.47) enables remote attackers to exfiltrate sensitive data from other origins when a victim visits a specially crafted HTML page. The vulnerability stems from inappropriate CSS handling that creates a side-channel bypassing same-origin policy protections, resulting in high-confidentiality-impact information disclosure with no integrity or availability consequences. No public exploit has been identified and exploitation has not been observed in the wild; CISA SSVC rates exploitation as none and technical impact as partial, aligning with Google's internal Low severity classification despite the NVD CVSS 6.5 score.

Google Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-36359 MEDIUM PATCH This Month

Session hijacking in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 allows an authenticated user to impersonate another user because session IDs are not invalidated after they expire (CWE-613). An attacker who obtains or reuses a stale session identifier can act with the victim's identity, producing high confidentiality and integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

IBM Information Disclosure Devops Automation Devops Loop
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13893 MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's WebUI component (versions prior to 150.0.7871.47) enables remote attackers to leak sensitive data across origin boundaries by delivering crafted malicious network traffic to an unpatched browser. The flaw arises from insufficient input validation (CWE-20) within the WebUI layer, undermining same-origin policy protections and exposing data from isolated origins to attacker-controlled contexts. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.20% (10th percentile), and no public POC has been identified; a vendor-released patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14033 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14007 MEDIUM PATCH This Month

Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
Prev Page 2 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy