Skip to main content
CVE-2026-58116 CRITICAL Act Now

Remote code execution in LLaMA-Factory through version 0.9.5 allows attackers who can reach the Gradio WebUI to run arbitrary Python by entering a malicious model path in the Chat or Training interfaces. Because the app forwards unvalidated user input into Hugging Face's AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True, a referenced repository's custom modeling code executes with the server process's privileges. Publicly available exploit code exists (a proof-of-concept gist plus a VulnCheck advisory), though it is not listed in CISA KEV and no in-the-wild abuse is documented in the available data.

Code Injection Python RCE Llama Factory
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-12076 CRITICAL Act Now

SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter parsing pipeline, yielding full compromise of the backing PostgreSQL database and extraction of stored credentials. The CVSS 4.0 base score is 9.3 (critical) with a fully network-reachable, no-privilege, no-interaction vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network-facing nature makes it a high-priority patch candidate.

PostgreSQL SQLi Raytha
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56278 CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets unauthenticated remote attackers forge valid signed session cookies and impersonate any user, including administrators. The flaw stems from a publicly known hardcoded default secret ('flowise') used by the express-session middleware whenever the EXPRESS_SESSION_SECRET environment variable is left unset - the default deployment state. No public exploit identified at time of analysis, but forgery is trivial since the signing key is visible in the source code, and CVSS 4.0 rates it 9.3 (Critical).

Authentication Bypass Flowise
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-12819 CRITICAL CISA Act Now

Unauthenticated Modbus TCP exposure on the Delta Electronics DVP12SE programmable logic controller lets any network-reachable attacker invoke security-sensitive PLC functions - reading and writing process registers, coils, and configuration - with no credentials or access control. The flaw (CWE-306, Missing Authentication for a Critical Function) carries a CVSS 4.0 base of 9.3 and is documented in Delta advisory PCSA-2026-00011 alongside CVE-2026-12818. There is no public exploit identified at time of analysis and no CISA KEV listing, but the Modbus protocol is trivially scriptable and well understood, lowering the practical exploitation bar.

Authentication Bypass Dvp 12Se
NVD VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-12818 CRITICAL CISA Act Now

Resource exhaustion in Delta Electronics DVP12SE programmable logic controllers lets remote attackers crash or hang the device by overwhelming its Modbus TCP service, which lacks connection/resource throttling (CWE-770). Any host able to reach the PLC's Modbus TCP port can degrade or deny control of the affected industrial process. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated network attack surface makes it a meaningful availability risk in OT environments.

Denial Of Service Dvp 12Se
NVD VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-11712 CRITICAL Act Now

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets a remote attacker inject malicious script into the administrative console help system, which executes in the browser session of an administrator who is lured into viewing the crafted content. Because the payload runs inside an authenticated admin context, it can be abused to hijack the console session, manipulate configuration, or steal sensitive credentials. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires the victim administrator to interact with the malicious content (UI:R).

XSS IBM Websphere Application Server
NVD VulDB
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-11708 CRITICAL Act Now

Cross-site scripting in IBM WebSphere Application Server 9.0 and 8.5 lets an attacker inject malicious script into the administrative console's integrated help system, which then executes in the browser of an administrator who views the affected page. Successful exploitation can hijack the admin session or perform actions in the console UI context. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, so risk is currently theoretical rather than actively exploited.

XSS IBM Websphere Application Server
NVD VulDB
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-58450 MEDIUM POC This Month

Open redirect in Invoice Ninja's client portal login (through version 5.13.26) enables unauthenticated attackers to craft login URLs that transparently redirect authenticated victims to attacker-controlled external sites after they complete a legitimate login. The vulnerability stems from the `intended` query parameter being stored in the session without host validation, then emitted verbatim by the `ContactLoginController::authenticated()` handler post-login, making it a reliable phishing vector against Invoice Ninja clients. A publicly available proof-of-concept exists; no CISA KEV listing is present at time of analysis.

Open Redirect Invoiceninja
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14038 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's New Tab Page prior to 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) and requires a pre-existing renderer foothold, making it a second-stage exploit rather than an initial-access vector. Google rated the Chromium severity as Low; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%, 7th percentile).

Information Disclosure Google Suse
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-58370 CRITICAL PATCH Act Now

Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a GitLab-backed repository run unapproved, attacker-controlled pipelines. Because the GitLab forge driver populates pipeline.Author from the spoofable git commit author name (commit.author.name) rather than the GitLab-validated user identity, an attacker simply sets the commit author to a name listed in ApprovalAllowedUsers, making needsApproval return false. This grants arbitrary CI step execution on a Woodpecker agent and exposure of CI secrets; there is no public exploit identified at time of analysis, but the issue was reported by VulnCheck and is trivially reproducible.

Authentication Bypass Gitlab Gitea Woodpecker
NVD GitHub
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-56264 CRITICAL PATCH Act Now

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code to the /execute_js endpoint, which runs it inside the server's Chromium browser context launched with --disable-web-security. Because the browser's same-origin and CORS protections are disabled, attacker-controlled JavaScript can pivot into server-side request forgery against internal services and metadata endpoints. No public exploit has been identified at time of analysis, and the CVSS 4.0 base score is 9.2 (critical), though the vector's high attack complexity and present attack requirements indicate exploitation is not fully trivial.

Code Injection SSRF Docker RCE Crawl4ai
NVD GitHub
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-48315 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier stems from improper input validation (CWE-20) that lets an attacker craft a malicious file which, when opened by a victim, executes code in the context of the current user and can inject scripts to hijack the victim's account or session. The CVSS 3.1 base score is 9.3 (Critical) with a changed scope, reflecting cross-boundary impact once the victim is lured into interaction. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, so risk currently hinges on social-engineering a target into opening attacker-supplied content.

RCE Coldfusion
NVD VulDB
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-53690 CRITICAL Act Now

SQL injection in Redeight CMS 1.0 lets unauthenticated remote attackers extract sensitive database contents by injecting through the 'userEmail' POST parameter of the /admin/index.php login endpoint. Because user input is interpolated directly into SQL without prepared statements, an attacker needs no credentials and no user interaction to read or manipulate backend data, including admin authentication material. The flaw was reported by CERT-PL and carries a CVSS 4.0 base score of 9.3 (Critical); no public exploit identified at time of analysis.

SQLi PHP Redeight Cms
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-14162 CRITICAL PATCH Act Now

Sensitive data exposure in Advantech Hospital Queuing Management lets unauthenticated remote attackers reach a specific URL and retrieve the application's API documentation, mapping out endpoints and parameters without any credentials. The flaw is rooted in missing authentication (CWE-306) on a resource that should be protected, and TWCERT rates it CVSS 4.0 9.3 (Critical). No public exploit is identified at time of analysis, but the exposed API documentation provides reconnaissance that materially lowers the barrier to follow-on attacks.

Authentication Bypass Information Disclosure Hospital Quering Management
NVD VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-13449 CRITICAL Act Now

XML external entity (XXE) injection in IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 lets a remote, unauthenticated attacker submit crafted XML to the application's XML parser to read sensitive files or exhaust memory. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) but has no public exploit identified at time of analysis, and EPSS is low at 0.39% (31st percentile). Reported by IBM PSIRT with a vendor advisory published (IBM support node 7278532).

XXE IBM Business Automation Manager
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-58016 CRITICAL PATCH Act Now

Denial of service in GNOME GLib (versions before 2.88.1) arises when g_dbus_node_info_new_for_xml() parses malformed D-Bus introspection XML that nests a <node> element inside <method>, <signal>, <property>, or <arg>. This state-confusion bug triggers an unsigned integer underflow/overflow (CWE-191) and a subsequent out-of-bounds read, crashing any application or service that parses attacker-influenced introspection data. No public exploit identified at time of analysis, EPSS is low (0.34%), and CISA SSVC rates exploitation as none with only partial technical impact.

Integer Overflow Denial Of Service Buffer Overflow Glib Enterprise Linux
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-6556 CRITICAL PATCH Act Now

Authorization bypass in the @fastify/express middleware-compatibility plugin (versions 4.0.6 and earlier) lets unauthenticated remote attackers reach protected routes inside prefixed Fastify plugin scopes when security middleware is mounted using array or regular-expression paths. Because those non-string mount paths are never rewritten with the plugin prefix, authentication, authorization, rate-limiting, or auditing middleware silently fails to match the real request path and is skipped while Fastify still routes the request to the handler. There is no public exploit identified at time of analysis, and the issue is fixed in 4.0.7.

Authentication Bypass Fastify Express
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-10560 CRITICAL Act Now

Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.

Authentication Bypass IBM Denial Of Service Information Disclosure Langflow
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-7874 CRITICAL PATCH Act Now

Credential disclosure in IBM Langflow OSS versions 1.0.0 through 1.10.0 stems from a weak, reversible key-derivation mechanism used to protect secrets encrypted at rest, allowing an attacker who can reach the stored credential data to recover the encryption key and decrypt every stored credential. Because Langflow stores API keys, database connection strings, and third-party service tokens used by AI workflow components, recovery of these secrets gives an attacker the keys to all integrated systems. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied, so the threat is currently theoretical but high-impact, and IBM (the reporter) has released a fix.

IBM Information Disclosure Langflow Oss
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-13852 CRITICAL PATCH Act Now

Discretionary access control bypass in Google Chrome for Android before 150.0.7871.47 lets a local attacker abuse the WebAppInstalls component through a crafted HTML page, undermining the platform's integrity and availability boundaries. Google rates the Chromium severity High and has shipped a fix in the Stable channel; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13851 CRITICAL PATCH Act Now

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13872 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 150.0.7871.47 lets a local attacker break out of the renderer/browser sandbox by feeding a malicious file into the WebAppInstalls component, which insufficiently validates untrusted input (CWE-20). Chromium rates the security severity as Medium, and no public exploit has been identified at time of analysis; EPSS estimates only a 0.13% (3rd percentile) chance of exploitation in the next 30 days. A vendor patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-9576 MEDIUM POC PATCH This Month

Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.

WordPress Information Disclosure Fluent Booking
NVD WPScan VulDB
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-56808 HIGH This Week

Privileged OS command injection in the AVTECH Security Corporation DGM3103SCT surveillance device lets an authenticated user of the web management console inject operating-system commands that run with root privilege (CWE-78). Disclosed via JPCERT/CC coordination (JVN28979424), it carries CVSS 4.0 base 8.6 with no public exploit identified at time of analysis. Because the CVSS vector requires high privileges (PR:H), exploitation presumes a logged-in administrative web user, but successful abuse yields full root-level device takeover.

Command Injection Dgm3103Sct
NVD VulDB
CVSS 4.0
8.6
EPSS
1.6%
CVE-2026-41053 HIGH PATCH GHSA This Week

Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal access they should not hold, because the GitHub authentication provider incorrectly caches the result of team membership expansion. The flaw (CWE-303, CVSS 8.8) means a low-privileged GitHub-authenticated user can be granted access tied to other principals/teams, effectively bypassing intended authorization. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Rancher
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-48307 HIGH This Week

Reflected Cross-Site Scripting in Adobe ColdFusion 2025.9, 2023.20 and earlier lets an attacker craft a malicious link that, when opened by a victim, injects and executes attacker-controlled script in the victim's browser session, with Adobe characterizing the impact as potential arbitrary code execution in the context of the current user. Because the CVSS scope is changed and confidentiality, integrity and availability impacts are all rated High, a successful attack against an authenticated ColdFusion administrator could compromise the management interface. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS RCE Coldfusion
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13967 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. Exploitation requires user interaction (visiting a malicious page) but no authentication, and the flaw carries a CVSS 8.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.30%, 22nd percentile), indicating no evidence of widespread exploitation despite the high CVSS.

Memory Corruption RCE Buffer Overflow Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13759 HIGH PATCH This Week

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.

Deserialization IBM RCE Websphere Extreme Scale
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14067 HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Apple Denial Of Service Use After Free +2
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13899 HIGH PATCH This Week

Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13898 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome's Cast Receiver component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by luring a victim to a crafted HTML page. Google rates the Chromium severity as Medium because the resulting code execution is confined to the browser sandbox, though NVD scores it CVSS 8.8; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.27% (18th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13965 HIGH PATCH This Week

Use after free in Oilpan in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13888 HIGH PATCH This Week

Use-after-free in the Extensions component of Google Chrome before 150.0.7871.47 lets a remote attacker execute arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. Chromium rated the security severity Medium, though the associated CVSS score is 8.8 (High) due to network vector and high impact; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.26%. Google has shipped a fixed Stable channel build.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13885 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome for Android before 150.0.7871.47, stemming from a use-after-free in the Skia graphics library, lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rated the Chromium security severity as Medium, and no public exploit has been identified at time of analysis; the EPSS score is low (0.26%, 17th percentile), and the bug is not on CISA KEV. Exploitation requires user interaction (visiting the malicious page) but no authentication.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13870 HIGH PATCH This Week

Sandboxed remote code execution in the WebView component of Google Chrome for Android before 150.0.7871.47 lets a remote attacker run arbitrary code within the renderer sandbox when a victim loads a crafted HTML page. Rated CVSS 8.8 (network vector, no privileges, requires user interaction), the flaw is a CWE-416 use-after-free, but code execution is confined to the sandbox and would require a separate escape to reach the host. No public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile), indicating limited near-term mass-exploitation pressure despite the high base score.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13848 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Forms component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and execute arbitrary code within the browser's renderer sandbox. Chromium rates the flaw High severity, CVSS 8.8, requiring only that the user visit a malicious page; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.26%, 17th percentile). A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13845 HIGH PATCH This Week

Arbitrary code execution in Google Chrome's DOM implementation lets a remote attacker run code within the renderer sandbox by luring a victim to a crafted HTML page. All desktop Chrome builds before 150.0.7871.47 are affected; Chromium rates the flaw High severity. No public exploit has been identified and EPSS probability is low (0.26%), but the vendor patch is already available and should be applied promptly.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13821 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free in the Canvas component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page), but no authentication. There is no public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13815 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and 8.8 (CVSS 3.1); it requires user interaction (visiting a malicious page) and no privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with a low EPSS of 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13811 HIGH PATCH This Week

Renderer-process remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Input Method Editor (IME) component, letting a remote attacker run arbitrary code within the browser's sandbox when a victim visits a crafted HTML page. Rated High by Chromium and CVSS 8.8, it requires user interaction (visiting a page) but no authentication. No public exploit identified at time of analysis, and the EPSS score is low (0.26%, 17th percentile), indicating no evidence of widespread exploitation yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13805 HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 150.0.7871.47 stems from a use-after-free in the GFX (graphics) component, allowing a remote attacker to run arbitrary code after a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS is 8.8, but exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis and EPSS is low (0.26%, 17th percentile), indicating no observed weaponization yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13788 HIGH PATCH This Week

Remote code execution in Google Chrome for Android before 150.0.7871.47 stems from a use-after-free in the Fullscreen component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and run arbitrary code in the renderer. Chromium rates the flaw Critical, though CVSS scores it 8.8 because exploitation requires the victim to open the malicious page. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), with CISA SSVC showing no known exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13786 HIGH PATCH This Week

Remote code execution in Google Chrome's Ozone platform-abstraction layer prior to 150.0.7871.47 lets a remote attacker execute arbitrary code by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated Critical by Chromium and CVSS 8.8, requiring the victim to visit a malicious page (UI:R) but no privileges. No public exploit has been identified at time of analysis and EPSS probability is low (0.26%), but the memory-corruption class and 'total' technical impact make it a high-priority browser patch.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14149 HIGH PATCH This Week

Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13830 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux allows an adjacent-network attacker to run arbitrary code by sending malicious network traffic to a vulnerable client before version 150.0.7871.47. The flaw is a use-after-free memory-corruption issue rated High by Chromium and carries a CVSS 8.8. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.24%, 15th percentile), indicating no observed exploitation activity yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13825 HIGH PATCH This Week

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13784 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and performing specific UI gestures, potentially achieving code execution in the renderer/browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction. No public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile); SSVC lists exploitation as none but technical impact as total.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13783 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework, fixed in 150.0.7871.47, lets a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page trigger heap corruption and potentially achieve code execution in the browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.22%.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13903 HIGH PATCH This Week

Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14107 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Scheduling component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. There is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV; EPSS is low at 0.21% (12th percentile). Google rates the Chromium security severity as Low despite the NVD CVSS of 8.8, reflecting that code execution is confined to the sandbox rather than the host.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
Prev Page 3 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy