Skip to main content
CVE-2026-48282 CRITICAL POC KEV THREAT Emergency

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and earlier enables remote, unauthenticated attackers to write or access files outside intended directories and achieve arbitrary code execution in the context of the current user. Rated CVSS 10.0 with a changed scope and no user interaction required, this is among the most severe ColdFusion flaws possible. No public exploit identified at time of analysis, but the impact and trivial attack complexity make it a top patching priority.

Path Traversal RCE Coldfusion
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
1.0%
Threat
5.0
CVE-2026-48313 CRITICAL POC Act Now

Path traversal in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets remote attackers (PR:N) read arbitrary files outside the intended web scope and perform limited writes, with no user interaction required. The scope-change (S:C) and high confidentiality impact drive a 9.3 critical rating, meaning a successful read can expose secrets - configuration, credentials, and source - that compromise components beyond ColdFusion itself. No public exploit is identified at time of analysis and the issue is not in CISA KEV, but ColdFusion's history of weaponized path-traversal and file-disclosure bugs makes prompt patching prudent.

Path Traversal Coldfusion
NVD VulDB
CVSS 3.1
9.3
EPSS
0.5%
CVE-2026-58172 CRITICAL POC PATCH Act Now

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. Publicly available exploit code exists (VulnCheck advisory plus a reproducer in PR #2406), though there is no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Ocelot
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56413 CRITICAL PATCH CISA Act Now

Unauthenticated remote code execution in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets attackers run arbitrary commands as root by sending a crafted packet to the ms_service.pl listener on TCP port 9000. The flaw was reported through CISA ICS-CERT (advisory ICSA-26-181-06) and carries the maximum CVSS 4.0 base score of 10.0; no public exploit has been identified at time of analysis, but the combination of network reachability, zero authentication, and root-level impact makes this a top-priority issue for any exposed device.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
3.1%
Threat
4.1
CVE-2026-56415 CRITICAL PATCH CISA Act Now

Unauthenticated remote command injection in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets remote attackers run arbitrary OS commands as root by sending a crafted HTTP request to the debug.pl script, which processes attacker input without sanitization. Rated CVSS 4.0 10.0 and reported through CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis. This is a complete-compromise primitive requiring no credentials or user interaction.

Command Injection
NVD GitHub
CVSS 4.0
10.0
EPSS
3.1%
Threat
4.1
CVE-2026-50003 CRITICAL CISA Emergency

Path traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled files to arbitrary locations on a DCMTK client host whenever that client retrieves objects using bit-preserving C-GET storage mode. Because the client trusts server-supplied storage paths, both relative (../) and absolute paths escape the chosen output directory, enabling overwrite of client-side files and potential code execution. Reported via CISA ICS-CERT (medical advisory ICSMA-26-181-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Dcmtk Toolkit
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50110 CRITICAL PATCH CISA Act Now

Credential exposure in StoneFly Storage Concentrator (SC) and its virtual machine variant (SCVM) lets an attacker recover plaintext credentials for numerous internal services from a configuration file where they are stored using reversible encoding rather than encryption. The hardcoded accounts cover databases, licensing, replication, and third-party integrations, so recovering them grants pivoting access across multiple interconnected systems. Reported to NVD via CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis and the vector is local (AV:L).

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-55721 CRITICAL PATCH CISA Act Now

SQL injection in StoneFly Storage Concentrator (SC and SCVM) lets an unauthenticated remote attacker read sensitive database contents by injecting through the cookie value handled by the login.pl and debug.pl CGI scripts. Successful exploitation discloses session tokens, password hashes, and stored secret keys, enabling authentication bypass and broader compromise of the storage appliance. There is no public exploit identified at time of analysis, and the issue is tracked under CISA ICS advisory ICSA-26-181-06.

SQLi
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-48276 CRITICAL POC Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote attacker upload a file of a dangerous type (e.g., a CFML/JSP payload) and execute it in the context of the current user, with no user interaction required. The CVSS 3.1 base score is the maximum 10.0 with a changed scope, reflecting that successful exploitation breaches the ColdFusion process boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but ColdFusion's history of weaponized file-upload/RCE bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48277 CRITICAL Act Now

Remote code execution in Adobe ColdFusion (versions 2025.9, 2023.20 and earlier) lets a remote attacker run arbitrary code in the context of the current user with no authentication and no user interaction, per the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scored 10.0 with a changed scope. The root cause is improper input validation (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48286 CRITICAL Act Now

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. It carries a maximum CVSS 10.0 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Adobe RCE Adobe Campaign Classic Acc
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2026-10134 CRITICAL Act Now

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection IBM File Upload RCE Langflow
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-13782 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Chromium rates the underlying use-after-free as Critical, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). A vendor patch is available and the flaw is a classic second-stage chain component rather than a standalone entry point.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-48281 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier lets a remote attacker run code in the context of the current user with no authentication and no user interaction. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS of 10.0 with a changed scope, meaning impact can extend beyond the vulnerable component. No public exploit identified at time of analysis, but ColdFusion's history of weaponized RCE bugs makes this a high-priority patch.

RCE Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48283 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases stems from an unrestricted dangerous-file-type upload (CWE-434) that lets a remote attacker drop and execute a malicious payload, such as a CFM/CFML webshell, in the context of the running ColdFusion user. Rated CVSS 10.0 with a changed scope, it requires no user interaction and, per the provided vector, no authentication. No public exploit identified at time of analysis, though ColdFusion's history of weaponized upload bugs makes this a high-priority patch.

RCE File Upload Coldfusion
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-10109 CRITICAL NEWS Act Now

Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake. Because the flaw is reachable before any login, any client able to reach the database listener can trigger it, and the CVSS 3.1 base score of 9.8 reflects full compromise of confidentiality, integrity, and availability. No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection IBM RCE Db2
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-7873 CRITICAL PATCH Act Now

Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-system commands and read sensitive files such as stored credentials, escalating from low-privileged application access to full host compromise. Rated CVSS 9.9 with a scope-changing vector, the flaw enables lateral movement once an attacker holds any valid Langflow account. No public exploit identified at time of analysis, but a vendor patch is available.

Code Injection IBM RCE Langflow Oss
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-13772 CRITICAL PATCH Act Now

Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.

IBM Information Disclosure Websphere Extreme Scale
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-9711 CRITICAL Act Now

Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis.

WordPress SQLi Eventon Pro Wordpress Virtual Event Calendar Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-7871 CRITICAL PATCH Act Now

Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.

Deserialization IBM Redis RCE Langflow Oss
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-7803 CRITICAL PATCH Act Now

Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the host by submitting flow definitions containing nodes with missing or empty component type fields. The improper input validation (CWE-20) lets malformed node specifications bypass type checks and reach unsafe execution paths in the low-code AI workflow engine. The CVSS vector (AV:N/PR:N) indicates network-reachable, pre-authentication exploitation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

IBM RCE Langflow Oss
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-11541 CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.

Request Smuggling IBM Information Disclosure Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-37106 CRITICAL Act Now

Remote code execution is claimed in DokuWiki 2025-05-14b "Librarian" (build 56.2) via the register function in inc/auth.php, which security intelligence maps to CWE-640 (weak password-recovery mechanism) - a mismatch that suggests account-takeover-to-code-execution rather than a direct memory-corruption RCE. The CVSS 3.1 score of 9.8 (network, no authentication, no user interaction) implies any internet-facing DokuWiki instance is at risk, and publicly available exploit code exists (a public gist proof-of-concept plus SSVC 'poc' exploitation status), though EPSS remains low at 0.26% (17th percentile), indicating no observed mass exploitation yet. Reported by MITRE and tracked as ENISA EUVD-2026-40863, it is tagged PHP/RCE but is not listed in CISA KEV.

RCE PHP
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-13776 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).

Memory Corruption Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-7663 CRITICAL PATCH Act Now

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.24%, 15th percentile), indicating exploitation has not yet become widespread.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-13775 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop prior to 150.0.7871.47 stems from a use-after-free in the GPU process, letting a remote attacker who has already compromised the renderer break out of the browser sandbox via a crafted HTML page. Google rates the Chromium severity as Critical, and a fix is available in the Stable channel update. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.22% (13th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14104 CRITICAL PATCH Act Now

Sandboxed remote code execution in Google Chrome desktop before 150.0.7871.47 lets a remote attacker run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page, exploiting insufficient input validation in the WebAppInstalls component. Google rates the Chromium severity as Low because execution is contained within the sandbox and no escape is included, and there is no public exploit identified at time of analysis. EPSS is low (0.21%, 12th percentile) and CISA SSVC records exploitation status as none.

RCE Google Suse
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-11546 CRITICAL Act Now

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthenticated attackers coerce the server into making arbitrary outbound requests when the adminCenter-1.0 feature is enabled. Reported by IBM PSIRT with a CVSS 3.1 base score of 9.8, the flaw carries no public exploit identified at time of analysis; EPSS is low at 0.21% (12th percentile) and CISA SSVC records exploitation status as none. The adminCenter-1.0 administrative console feature is the specific attack surface, so exposure is limited to Liberty instances that enable it.

SSRF IBM Websphere Application Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14121 CRITICAL PATCH Act Now

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux, fixed in 150.0.7871.47, lets a remote attacker corrupt memory via crafted network traffic and potentially run arbitrary code. The flaw is a CWE-416 use-after-free reported by Google's internal Chrome security team; there is no public exploit identified at time of analysis and it is not in CISA KEV. Note a signal conflict: NVD scores this 9.8 (Critical) while Chromium itself rated the security severity 'Low', and EPSS is only 0.20% (10th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-11714 CRITICAL Act Now

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthenticated attackers coerce the server into issuing crafted requests to internal or external systems when the optional apiDiscovery-1.0 feature is enabled. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N), reflecting network-reachable, no-privilege exploitation, though no public exploit is identified at time of analysis and EPSS is low at 0.19% (8th percentile). CISA SSVC scores exploitation as none and non-automatable, indicating no observed weaponization yet.

SSRF IBM Websphere Application Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14241 CRITICAL Act Now

Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.

Memory Corruption Mozilla Buffer Overflow RCE Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-8402 CRITICAL PATCH Act Now

Blind SQL injection in Eksagate SYSGUARD 6001 (versions 2.0.2 up to but not including 6.1.16.0) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input, enabling extraction or manipulation of backend database contents. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) rates it 9.8 Critical with full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued for affected branches.

SQLi Sysguard 6001
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-13766 CRITICAL PATCH Act Now

SQL injection in DBIx::QuickORM (a Perl ORM) before version 0.000026 lets attackers manipulate queries through unquoted SQL identifiers. Because the bundled SQL::Abstract subclass sets bindtype but never quote_char, caller-supplied identifiers such as order_by values, where-clause column keys, field/returning lists, upsert columns, and join aliases are emitted verbatim into the SQL string while only values are placeholder-bound. An application that forwards untrusted input into any of these identifier positions exposes data disclosure and tampering; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

SQLi Dbix
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-13883 CRITICAL PATCH Act Now

Type Confusion in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13798 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 stems from a heap buffer overflow in the Chromecast component, letting an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6, but it is a second-stage bug requiring prior renderer control, and there is no public exploit identified at time of analysis (SSVC exploitation: none, EPSS 0.22%). No CISA KEV listing exists, indicating no confirmed active exploitation.

Heap Overflow Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13785 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS before 150.0.7871.47 stems from a use-after-free in the browser's Bluetooth component, letting a remote attacker who lures a user into specific UI gestures on a crafted HTML page corrupt memory and break out of the renderer sandbox. Rated Critical by Chromium and CVSS 9.6, though no public exploit has been identified and EPSS is low (0.22%, 13th percentile). A vendor fix is available and CISA SSVC currently marks exploitation as 'none'.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13781 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13780 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13901 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets an attacker who already controls a compromised renderer process break out of the browser sandbox through insufficient policy enforcement in the Web Serial API, using a crafted HTML page. Google rated the underlying Chromium bug Medium severity even though NVD assigns a 9.6 CVSS due to the scope-changing impact. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.22%, 12th percentile).

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13843 CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13934 CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13920 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page that abuses insufficient input validation in the Media component. Google rates the Chromium security severity as Medium and a fix is shipped in the stable channel, but no public exploit has been identified and EPSS exploitation probability is low at 0.21%. The high 9.6 CVSS reflects the total system compromise possible once chained, not standalone exploitability.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13909 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome DevTools before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, stemming from insufficient policy enforcement (CWE-693). NVD scores this 9.6 with a scope-change vector, though Google rates the Chromium severity only Medium and it is a second-stage bug requiring prior renderer compromise. No public exploit has been identified at time of analysis and EPSS is low (0.21%), consistent with a chained rather than standalone threat.

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13882 CRITICAL PATCH Act Now

Race in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Race Condition Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13880 CRITICAL PATCH Act Now

Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13878 CRITICAL PATCH Act Now

Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13869 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13861 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page, exploiting a use-after-free (CWE-416) in the Core component. Google-assigned Chromium severity is Medium, though the NVD CVSS is 9.6 due to the cross-boundary scope change. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile), indicating it is not yet a mass-exploitation target.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13859 CRITICAL PATCH Act Now

Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy