Skip to main content
CVE-2026-8451 HIGH POC PATCH NEWS This Week

Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.

Citrix Information Disclosure Buffer Overflow Netscaler Application Delivery Controller Netscaler Gateway
NVD VulDB GitHub
CVSS 4.0
8.8
EPSS
0.5%
CVE-2026-58166 HIGH POC PATCH This Week

Arbitrary file write and delete in OpenBMB ChatDev through 2.2.0 lets unauthenticated remote attackers control destination paths on the server by abusing the multipart filename in the upload session endpoint. Because save_upload_file joins the attacker-supplied filename onto the temp directory without sanitization, a traversal or absolute-path filename redirects both the write and the subsequent cleanup unlink to arbitrary host locations. Publicly available exploit code exists and a vendor fix is available (commit 4fd4da6); there is no public exploit identified as actively exploited in CISA KEV at time of analysis.

Path Traversal File Upload Chatdev
NVD GitHub
CVSS 4.0
8.8
EPSS
0.6%
CVE-2026-11589 HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-58375 HIGH POC This Week

Unauthenticated report data exfiltration in JimuReport (JeecgBoot) through version 2.5.0 lets remote attackers export the full contents of any report via the POST /jmreport/auto/export endpoint. Because the handler carries the @JimuNoLoginRequired annotation, JimuReportTokenInterceptor skips all authentication and the export service never checks the auto-export configuration flag, so any guessed report id is rendered and streamed back. Publicly available exploit code exists; the disclosure comes from VulnCheck and the CVSS 4.0 base score is 8.7 (High), driven by high confidentiality impact with no privileges or user interaction required.

Authentication Bypass Jimureport
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-58165 HIGH POC PATCH This Week

Privilege escalation in OpenZiti through 2.0.0 lets an authenticated non-admin identity that holds fine-grained enrollment-management permissions mint an enrollment for any identity - including the built-in default administrator - and then redeem the resulting one-time token via the unauthenticated client enrollment API to receive a client certificate that authenticates as that admin, granting full control of the controller and the entire zero-trust overlay. The root cause is a missing authorization check (CWE-862) in the enrollment creation path. Publicly available exploit details exist (reported by VulnCheck, GitHub issue #4010) and a vendor fix is available; no public exploit identified as actively used at time of analysis.

Authentication Bypass Privilege Escalation Ziti
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-58377 HIGH POC This Week

Broken access control in JeecgBoot through 3.9.2 lets authenticated low-privilege users reach the OpenApiAuthController and OpenApiPermissionController endpoints, which are missing Shiro authorization annotations, to fully manage OpenAPI AK/SK credentials. Because the list endpoint returns secret keys in plaintext, any logged-in user can harvest every Access Key/Secret Key pair and then create, modify, or delete them, enabling credential theft and unauthorized invocation of the OpenAPI surface. Publicly available exploit code exists and the issue was reported by VulnCheck, though it is not listed in CISA KEV.

Authentication Bypass Jeecgboot
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-11590 HIGH POC This Week

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.

WordPress SQLi Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-58372 HIGH POC PATCH This Week

Cross-tenant object deletion in SeaweedFS before 4.34 lets an authenticated S3 principal holding write access to just one bucket destroy arbitrary objects in other tenants' buckets through the S3 gateway's DeleteMultipleObjectsHandler. By embedding ../ sequences in object keys inside the DeleteObjects XML request body, an attacker exploits a confused-deputy gap where path validation never inspected body keys. Publicly available exploit code exists (reported by VulnCheck) and a vendor patch shipped in release 4.34; the flaw is not listed in CISA KEV.

Path Traversal Seaweedfs
NVD GitHub
CVSS 4.0
7.2
EPSS
0.8%
CVE-2026-58376 HIGH POC PATCH This Week

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.

SQLi Information Disclosure PHP Dolibarr
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-58176 HIGH POC PATCH This Week

Broken function-level authorization in RuoYi-Vue-Plus through 5.6.2 allows any authenticated low-privileged user to manipulate workflow approval tasks - including reassigning pending approvals to arbitrary users, urging tasks, and enumerating all pending and completed tasks - by exploiting the absence of permission annotations on FlwTaskController endpoints under /workflow/task. This directly defeats segregation of duties in organizational approval chains, enabling a standard user to redirect approvals meant for specific roles and potentially approve transactions or actions they should never have authority over. A publicly available exploit is referenced in the project's GitHub issue tracker; no CISA KEV listing has been confirmed at time of analysis, suggesting targeted rather than widespread exploitation.

Authentication Bypass Ruoyi Vue Plus
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-58448 HIGH POC PATCH This Week

Information disclosure in the yudao-cloud BPM (business process management) module before 2026.06 lets any authenticated user read arbitrary workflow process-instance records by passing a caller-controlled process-instance ID to a GET endpoint that lacks the @PreAuthorize authorization check. Exposed data includes submitted form variables, approver identities, approval/rejection comments, and raw BPMN XML, with no ownership or tenant validation enforced. Publicly available exploit code exists and a vendor patch is available; the issue is not listed in CISA KEV.

Authentication Bypass Yudao Cloud
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58447 HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-52868 HIGH CISA Act Now

Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.

Path Traversal Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-44628 HIGH CISA Act Now

Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash the service with a single crafted DICOM query when the server is provisioned with a valid Called AE Title, a storage directory, the expected lockfile, and at least one matching worklist record. The flaw stems from a type-confusion condition (CWE-843) and carries a CVSS 4.0 base score of 8.7 driven entirely by high availability impact (VA:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, though it was reported through the ICS-CERT/ICSMA medical-advisory channel.

Memory Corruption Denial Of Service Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-50254 HIGH CISA Act Now

Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. CVSS 4.0 scores this 8.7 (High), driven entirely by availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-35505 HIGH CISA Act Now

Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (availability-only impact), reported through CISA ICS-CERT medical advisory ICSMA-26-181-01.

Information Disclosure Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-13207 HIGH CISA Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-12578 HIGH CISA Act Now

Arbitrary code execution in Delta Electronics DTMSoft arises from unsafe deserialization of untrusted data during project file parsing (CWE-502), allowing an attacker who supplies a malicious DTMSoft project file to run code in the context of the user who opens it. The flaw is local and requires victim interaction (opening the crafted file) rather than remote network exploitation, and impacts confidentiality, integrity, and availability fully. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; no EPSS score was supplied.

Deserialization RCE Dtmsoft
NVD
CVSS 4.0
8.4
EPSS
0.4%
CVE-2026-8452 HIGH PATCH NEWS This Week

Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated attackers to trigger unpredictable or erroneous appliance behavior when the device is deployed as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with no authentication, and the high confidentiality impact suggests memory contents may be exposed alongside the DoS condition. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Citrix Denial Of Service Buffer Overflow Netscaler Application Delivery Controller Netscaler Gateway
NVD VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-8655 HIGH PATCH NEWS This Week

Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that produce unpredictable or erroneous behavior when the appliance is configured for specific DNS or load-balancing roles. Remote unauthenticated attackers can send crafted traffic to a vulnerable appliance to crash or destabilize it, with the CVSS 4.0 score of 8.8 driven primarily by high availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Citrix Oracle Denial Of Service Buffer Overflow Netscaler Application Delivery Controller +1
NVD VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-13474 HIGH PATCH NEWS This Week

Denial of service in Citrix NetScaler ADC and NetScaler Gateway allows remote attackers to crash or render unresponsive the appliance by sending malformed HTTP/2 requests, but only when HTTP/2 is enabled in the HTTP Profile and bound to an LB, CS, or VPN virtual server or service. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss, exploitable over the network without authentication or user interaction. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Citrix Denial Of Service Netscaler Application Delivery Controller Netscaler Gateway
NVD VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56808 HIGH This Week

Privileged OS command injection in the AVTECH Security Corporation DGM3103SCT surveillance device lets an authenticated user of the web management console inject operating-system commands that run with root privilege (CWE-78). Disclosed via JPCERT/CC coordination (JVN28979424), it carries CVSS 4.0 base 8.6 with no public exploit identified at time of analysis. Because the CVSS vector requires high privileges (PR:H), exploitation presumes a logged-in administrative web user, but successful abuse yields full root-level device takeover.

Command Injection Dgm3103Sct
NVD VulDB
CVSS 4.0
8.6
EPSS
1.6%
CVE-2026-41053 HIGH PATCH GHSA This Week

Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal access they should not hold, because the GitHub authentication provider incorrectly caches the result of team membership expansion. The flaw (CWE-303, CVSS 8.8) means a low-privileged GitHub-authenticated user can be granted access tied to other principals/teams, effectively bypassing intended authorization. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Rancher
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-48307 HIGH This Week

Reflected Cross-Site Scripting in Adobe ColdFusion 2025.9, 2023.20 and earlier lets an attacker craft a malicious link that, when opened by a victim, injects and executes attacker-controlled script in the victim's browser session, with Adobe characterizing the impact as potential arbitrary code execution in the context of the current user. Because the CVSS scope is changed and confidentiality, integrity and availability impacts are all rated High, a successful attack against an authenticated ColdFusion administrator could compromise the management interface. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS RCE Coldfusion
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13967 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. Exploitation requires user interaction (visiting a malicious page) but no authentication, and the flaw carries a CVSS 8.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.30%, 22nd percentile), indicating no evidence of widespread exploitation despite the high CVSS.

Memory Corruption RCE Buffer Overflow Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13759 HIGH PATCH This Week

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.

Deserialization IBM RCE Websphere Extreme Scale
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14067 HIGH PATCH This Week

Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Apple Denial Of Service Use After Free +2
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13899 HIGH PATCH This Week

Use after free in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13898 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome's Cast Receiver component affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) can be triggered by luring a victim to a crafted HTML page. Google rates the Chromium severity as Medium because the resulting code execution is confined to the browser sandbox, though NVD scores it CVSS 8.8; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.27% (18th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13965 HIGH PATCH This Week

Use after free in Oilpan in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13888 HIGH PATCH This Week

Use-after-free in the Extensions component of Google Chrome before 150.0.7871.47 lets a remote attacker execute arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. Chromium rated the security severity Medium, though the associated CVSS score is 8.8 (High) due to network vector and high impact; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.26%. Google has shipped a fixed Stable channel build.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13885 HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome for Android before 150.0.7871.47, stemming from a use-after-free in the Skia graphics library, lets a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rated the Chromium security severity as Medium, and no public exploit has been identified at time of analysis; the EPSS score is low (0.26%, 17th percentile), and the bug is not on CISA KEV. Exploitation requires user interaction (visiting the malicious page) but no authentication.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13870 HIGH PATCH This Week

Sandboxed remote code execution in the WebView component of Google Chrome for Android before 150.0.7871.47 lets a remote attacker run arbitrary code within the renderer sandbox when a victim loads a crafted HTML page. Rated CVSS 8.8 (network vector, no privileges, requires user interaction), the flaw is a CWE-416 use-after-free, but code execution is confined to the sandbox and would require a separate escape to reach the host. No public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile), indicating limited near-term mass-exploitation pressure despite the high base score.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13848 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Forms component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and execute arbitrary code within the browser's renderer sandbox. Chromium rates the flaw High severity, CVSS 8.8, requiring only that the user visit a malicious page; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.26%, 17th percentile). A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13845 HIGH PATCH This Week

Arbitrary code execution in Google Chrome's DOM implementation lets a remote attacker run code within the renderer sandbox by luring a victim to a crafted HTML page. All desktop Chrome builds before 150.0.7871.47 are affected; Chromium rates the flaw High severity. No public exploit has been identified and EPSS probability is low (0.26%), but the vendor patch is already available and should be applied promptly.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13821 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free in the Canvas component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page), but no authentication. There is no public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13815 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and 8.8 (CVSS 3.1); it requires user interaction (visiting a malicious page) and no privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with a low EPSS of 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13811 HIGH PATCH This Week

Renderer-process remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Input Method Editor (IME) component, letting a remote attacker run arbitrary code within the browser's sandbox when a victim visits a crafted HTML page. Rated High by Chromium and CVSS 8.8, it requires user interaction (visiting a page) but no authentication. No public exploit identified at time of analysis, and the EPSS score is low (0.26%, 17th percentile), indicating no evidence of widespread exploitation yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13805 HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 150.0.7871.47 stems from a use-after-free in the GFX (graphics) component, allowing a remote attacker to run arbitrary code after a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS is 8.8, but exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis and EPSS is low (0.26%, 17th percentile), indicating no observed weaponization yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13788 HIGH PATCH This Week

Remote code execution in Google Chrome for Android before 150.0.7871.47 stems from a use-after-free in the Fullscreen component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and run arbitrary code in the renderer. Chromium rates the flaw Critical, though CVSS scores it 8.8 because exploitation requires the victim to open the malicious page. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), with CISA SSVC showing no known exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13786 HIGH PATCH This Week

Remote code execution in Google Chrome's Ozone platform-abstraction layer prior to 150.0.7871.47 lets a remote attacker execute arbitrary code by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated Critical by Chromium and CVSS 8.8, requiring the victim to visit a malicious page (UI:R) but no privileges. No public exploit has been identified at time of analysis and EPSS probability is low (0.26%), but the memory-corruption class and 'total' technical impact make it a high-priority browser patch.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14149 HIGH PATCH This Week

Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13830 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux allows an adjacent-network attacker to run arbitrary code by sending malicious network traffic to a vulnerable client before version 150.0.7871.47. The flaw is a use-after-free memory-corruption issue rated High by Chromium and carries a CVSS 8.8. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.24%, 15th percentile), indicating no observed exploitation activity yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13825 HIGH PATCH This Week

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13784 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and performing specific UI gestures, potentially achieving code execution in the renderer/browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction. No public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile); SSVC lists exploitation as none but technical impact as total.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13783 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework, fixed in 150.0.7871.47, lets a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page trigger heap corruption and potentially achieve code execution in the browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.22%.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13903 HIGH PATCH This Week

Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

Privilege Escalation Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14107 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Scheduling component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. There is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV; EPSS is low at 0.21% (12th percentile). Google rates the Chromium security severity as Low despite the NVD CVSS of 8.8, reflecting that code execution is confined to the sandbox rather than the host.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14091 HIGH PATCH This Week

Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14086 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID component, letting a remote attacker who lures a victim to a crafted HTML page break out of intended HID access controls and run arbitrary code. Exploitation requires user interaction (visiting a malicious page) but no authentication, and no public exploit has been identified at time of analysis; EPSS is low at 0.21% (12th percentile). Notably, Google rates the Chromium security severity as 'Low' while the NVD-style CVSS is 8.8, a discrepancy worth weighing when prioritizing.

RCE Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy