Skip to main content
CVE-2026-14092 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 150.0.7871.47 enables an on-path network adversary to bypass Chrome's privacy policy enforcement and observe data belonging to a different origin via crafted malicious network traffic. The flaw is classified as CWE-693 (Protection Mechanism Failure), indicating Chrome's privacy isolation layer fails to correctly enforce cross-origin restrictions under certain network conditions. EPSS sits at 0.11% (2nd percentile), no public exploit code is known, and the vulnerability has not been added to CISA KEV; Chromium itself rates this Low severity.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-14003 MEDIUM PATCH This Month

Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)

Google Authentication Bypass Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-8944 MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP Google Plugin For Google Analytics By Io Technologies
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-27956 MEDIUM PATCH This Month

{server_uuid}/domains endpoint silently drops team-scope enforcement when the optional uuid query parameter is supplied, producing a classic IDOR (CWE-639) condition where a user-controlled key bypasses authorization. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the low attack complexity and single authentication prerequisite make the flaw trivially exploitable by any tenant in a multi-tenant Coolify deployment.

Authentication Bypass Coolify
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13907 MEDIUM PATCH This Month

UI spoofing in Google Chrome's iOSWeb component on iOS allows remote attackers to misrepresent interface elements to users running versions prior to 150.0.7871.47. The vulnerability, rooted in an inappropriate implementation (CWE-451), is triggered when a user performs specific UI gestures on a crafted HTML page, enabling spoofing of security-critical browser interface elements such as the address bar or permission dialogs. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the high attack complexity and mandatory user interaction meaningfully constrain real-world risk.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13895 MEDIUM PATCH This Month

UI spoofing via Chrome's Autofill component affects all desktop installations prior to version 150.0.7871.47, enabling a remote attacker to misrepresent interface elements through a crafted HTML page. Exploitation requires both navigating to an attacker-controlled page and performing specific UI gestures, reflected in CVSS AC:H and UI:R - passive browsing is insufficient. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.2 Medium score reflects limited integrity and availability impact with no confidentiality loss.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13992 MEDIUM PATCH This Month

UI spoofing in Google Chrome on macOS prior to version 150.0.7871.47 allows a remote attacker to misrepresent browser UI elements by convincing a user to perform specific UI gestures on a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw can cause security-sensitive browser chrome - such as origin indicators or permission prompts - to display falsified content, potentially deceiving users into unsafe actions. No public exploit code exists and this vulnerability is not listed in CISA KEV; the vendor has released a patch in the Chrome 150 stable channel.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13986 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Media UI component on ChromeOS allows a remote attacker to manipulate what a user sees by delivering a crafted HTML page and social-engineering the victim into performing specific in-browser UI gestures. Affected versions are all Chrome on ChromeOS prior to 150.0.7871.47. While classified Medium severity (CVSS 4.2), the practical risk is constrained by the requirement for active user interaction and the ChromeOS-only scope; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13973 MEDIUM PATCH This Month

UI spoofing in Google Chrome prior to 150.0.7871.47 allows a remote attacker to visually deceive users by misrepresenting browser UI elements through a crafted HTML page that requires the victim to perform specific interaction gestures. The flaw originates in an inappropriate implementation within Chrome's UI layer (CWE-451), enabling misrepresentation of critical information that could mislead users into unintended actions or false security assumptions. No public exploit code has been identified and the vulnerability is absent from CISA KEV; Google has released a fix in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13956 MEDIUM PATCH This Month

UI spoofing in Google Chrome's PageInfo component (all versions prior to 150.0.7871.47) enables remote attackers to misrepresent the browser's security indicators through a crafted HTML page that induces specific user UI gestures. The flaw (CWE-451) causes the PageInfo panel - the panel users consult to evaluate site trustworthiness - to render incorrect security UI, potentially deceiving victims into trusting malicious or unverified origins. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; exploitation requires high attack complexity and deliberate user interaction, keeping real-world risk moderate despite the ubiquitous deployment footprint of Chrome.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13860 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. No public exploit or CISA KEV listing has been confirmed; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13857 MEDIUM PATCH This Month

UI spoofing via crafted HTML in Google Chrome's Geometry component (versions prior to 150.0.7871.47) enables remote attackers to misrepresent security-critical interface elements to users who are socially engineered into performing specific UI gestures. The flaw stems from an inappropriate implementation in Chrome's Geometry subsystem (CWE-451), affecting the integrity and availability of the browser interface at low impact levels. No public exploit or active exploitation has been identified; Google has released a confirmed patch in version 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14137 MEDIUM PATCH This Month

UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to manipulate browser interface elements via a crafted HTML page, provided the attacker can lure the victim into performing specific UI gestures. The root cause is insufficient validation of untrusted HTML input (CWE-20) within Chrome's iOS-specific rendering layer, resulting in low-integrity and low-availability impact. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog; Chromium's own severity classification is Low.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14139 MEDIUM PATCH This Month

UI spoofing in Google Chrome's TabStrip component prior to version 150.0.7871.47 allows a remote attacker to misrepresent tab or page identity through a crafted HTML page, contingent on convincing the victim to perform specific UI gestures. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L) places real-world risk in the lower tier: high attack complexity, mandatory user interaction, and no confidentiality impact combine to limit practical exploitation. No public exploit code exists and CISA has not added this to the KEV catalog, consistent with Google's own Low severity classification.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14138 MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component on Windows (versions prior to 150.0.7871.47) enables a remote attacker to misrepresent the browser interface by luring a user into performing specific UI interaction gestures on a crafted HTML page. The flaw is Windows-platform-specific and rooted in an inappropriate implementation of the Progressive Web App installation UI flow. Google rates this Low severity; no public exploit identified at time of analysis, and EPSS data is not present in the provided intelligence, but the CVSS 4.2 score and required high-complexity user interaction significantly limit real-world risk.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14028 MEDIUM PATCH This Month

UI spoofing in Google Chrome for iOS prior to 150.0.7871.47 allows a remote attacker to misrepresent security indicators to users who are socially engineered into performing specific UI gestures on a crafted HTML page. The root cause is incorrect rendering of security UI elements (CWE-451), classified by the Chromium team as Low severity. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog, aligning with the modest CVSS 4.2 score and the high-complexity attack requirements.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14129 MEDIUM PATCH This Month

UI spoofing in Google Chrome for Android (prior to 150.0.7871.47) via the PreviewTab feature allows remote attackers to misrepresent interface elements through a crafted HTML page. Successful exploitation requires high attack complexity - specifically, the attacker must convince a victim to perform particular UI gestures - limiting this to targeted rather than opportunistic attacks. No active exploitation or public proof-of-concept has been identified; the Chromium security team rates this as Low severity, consistent with its constrained CVSS 4.2 score.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14030 MEDIUM PATCH This Month

Omnibox (URL bar) spoofing in Google Chrome on Linux prior to 150.0.7871.47 is possible through an inappropriate SplitView implementation, allowing remote attackers to display false URLs to victims who are tricked into performing specific UI gestures on a crafted HTML page. This CWE-451 class flaw undermines browser trust indicators and enables phishing scenarios, though exploitation is constrained by high attack complexity and mandatory user interaction. No public exploit code or active exploitation has been identified; a vendor patch is available in the stable channel release.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14026 MEDIUM PATCH This Month

UI spoofing via incorrect security rendering in Chrome's SplitView component allows a remote attacker to misrepresent security-critical UI elements to a victim running any Chrome version prior to 150.0.7871.47. The attacker must serve a crafted HTML page and successfully induce the victim into performing specific UI gestures, after which SplitView renders misleading security indicators - enabling phishing-class deception within a trusted browser context. No public exploit code exists and no active exploitation has been confirmed; the Chromium team itself rated this Low severity, consistent with the CVSS 4.2 score and high attack complexity.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13998 MEDIUM PATCH This Month

UI spoofing via the File Input security indicator in Google Chrome on macOS allows a remote attacker to misrepresent security-critical interface elements when a user visits a crafted HTML page and performs specific UI gestures. Affected are all Chrome for Mac builds prior to 150.0.7871.47. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; combined with the high attack complexity and required user interaction, real-world exploitation at scale is unlikely without a targeted social engineering component.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13997 MEDIUM PATCH This Month

UI spoofing in the Extensions component of Google Chrome on Android (prior to 150.0.7871.47) allows a remote attacker to misrepresent security UI elements by luring a victim into performing specific UI gestures on a crafted HTML page. The root cause (CWE-451) is incorrect rendering of security-critical extension UI, potentially misleading users about which extensions are active or what permissions they hold. No public exploit identified at time of analysis; the vendor has released a patch in the stable channel update.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13993 MEDIUM PATCH This Month

Domain spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.47) allows remote attackers to misrepresent the security origin displayed to a user, enabling phishing or social engineering attacks. Exploitation requires convincing the victim to perform specific UI gestures while visiting a crafted HTML page, placing this in a moderate-complexity social engineering category. No public exploit code has been identified at time of analysis, and the vendor has released a patch in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13983 MEDIUM PATCH This Month

Omnibox (URL bar) spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to display falsified URL content to a victim user via a crafted HTML page. Exploitation requires convincing the target to perform specific UI gestures while visiting the malicious page, making this a phishing-enabler rather than a direct code-execution primitive. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; Google has released a fix in the 150.0.7871.47 stable channel update.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14133 MEDIUM PATCH This Month

UI spoofing via race condition in Google Chrome's History Embeddings component (versions prior to 150.0.7871.47) enables remote attackers to present falsified browser interface elements to users through a crafted HTML page. The flaw requires both high attack complexity - a precisely timed race window - and victim interaction, yielding only limited confidentiality and integrity impact with no code execution capability. No public exploit or active exploitation has been identified; EPSS at 0.14% (4th percentile) and SSVC exploitation status of 'none' confirm extremely low real-world exploitation probability at time of analysis.

Information Disclosure Race Condition Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-13957 MEDIUM PATCH This Month

Incorrect security UI in Google Chrome's Extensions subsystem prior to version 150.0.7871.47 enables Universal Cross-Site Scripting (UXSS), allowing script or HTML injection across web origins via a crafted HTML page. Exploitation requires that the victim user be socially engineered into installing a malicious extension, after which a crafted page triggers the CWE-79 flaw in the Extensions UI. No public exploit exists at time of analysis, EPSS sits at the 4th percentile, and CISA has not listed this in KEV, consistent with the SSVC exploitation:none assessment.

XSS Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-14144 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Views component (versions prior to 150.0.7871.47) allows a remote attacker to misrepresent security-critical browser interface elements through a crafted HTML page. Exploitation requires convincing a target user to perform specific UI gestures, making the attack conditional on social engineering. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; Google has released a patch as part of the stable channel update.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-13905 MEDIUM PATCH This Month

Race condition exploitation in Google Chrome for iOS (prior to 150.0.7871.47) exposes potentially sensitive data from process memory to a local attacker with physical device access. The flaw is rooted in improper synchronization (CWE-362) and requires high attack complexity to successfully win the timing window. No public exploit has been identified and the vulnerability is not listed in CISA KEV; the vendor has released a patching fix in the 150.0.7871.47 stable channel update.

Information Disclosure Apple Race Condition Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-57964 MEDIUM This Month

Insufficient data exists to characterize CVE-2026-57964 meaningfully. The only confirmed signal is a vendor attribution to Ubuntu (Canonical), with no description, CVSS score, vector, or CWE provided. No exploitation status, affected component, or impact can be determined from the available intelligence. Security teams should monitor the Ubuntu Security Notices (USN) portal and the NVD entry for this CVE as data becomes available.

Information Disclosure
NVD
CVE-2026-44605 MEDIUM This Month

Insufficient data exists to characterize CVE-2026-44605 meaningfully. The only available intelligence signal is a vendor attribution to Ubuntu, with no description, CVSS vector, CWE classification, or reference URLs provided. The CVE ID year (2026) places this beyond the analyst's knowledge cutoff of August 2025, meaning no corroborating open-source intelligence can be applied. No exploitation status, affected version range, or impact class can be stated with any confidence.

Information Disclosure
NVD
CVE-2026-13606 MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-13606. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating this vulnerability affects a package or component within the Ubuntu ecosystem. No description, CVSS score, vector, CWE classification, or additional references are available - a complete technical characterization is not possible from the provided data.

Information Disclosure Red Hat Suse
NVD
Prev Page 7 of 7

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy