28
Open CVEs
0
Exploited
0
KEV
3
Unpatched
3
No Workaround
16
Internet-facing
Why this provider is risky now
This provider has 28 open CVE(s) in the last 7 days. 3 have no vendor patch. 16 affect internet-facing services. 1 impact the management/identity plane.
3 Unpatched
1 Mgmt / Admin Plane
3 No Workaround
16 Internet-facing
Top Risky CVEs
CVE-2026-10021
This Week
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code in the browser context by luring a victim to a crafted HTML page that abuses insufficient input validation in the WebUSB component. The flaw carries a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and Chromium rates it Medium severity; no public exploit identified at time of analysis and it is not currently listed in CISA KEV. A vendor patch shipped via the Chrome Stable channel mitigates the issue.
Within 24 hours: Deploy Chrome 148.0.7778.216 or later via group policy/MDM to all managed Chrome instances. Within 7 days: Verify completion of updates across 95% of user base and confirm older versions are no longer present on endpoints. Within 30 days: Audit Chrome deployment policies to ensure automatic updates are enforced and conduct incident log review for potential exploitation indicators targeting WebUSB.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • Third-party ICT: Red Hat, SUSE
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.1%
EPSS
44
Priority
CVE-2026-10002
This Week
Heap corruption in Google Chrome's PDFium component (versions prior to 148.0.7778.216) allows a remote attacker to potentially achieve code execution by tricking a user into opening a crafted PDF file. The flaw is a use-after-free condition rated High severity by Chromium, with no public exploit identified at time of analysis and a low EPSS score (0.03%) suggesting limited near-term mass exploitation despite a CVSS of 8.8. A vendor patch has been released via the Chrome Stable channel update.
Within 24 hours: verify Chrome autoupdate is enabled organization-wide and document any manual deployment controls preventing automatic updates. Within 7 days: confirm all Chrome instances are updated to version 148.0.7778.216 or later and validate version compliance across managed endpoints. Within 30 days: audit complete Chrome version inventory across organization and implement policies restricting PDF sources to trusted origins where operationally feasible.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Red Hat, SUSE
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-10019
This Week
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE graphics translation layer, allowing a remote attacker who lures a user to a crafted HTML page to bypass same-origin protections and exfiltrate sensitive data from other domains. The flaw carries a CVSS 8.8 rating due to network reachability and high impact across confidentiality, integrity, and availability, though Chromium itself rates the severity as Medium. EPSS is very low at 0.03% (11th percentile) and no public exploit identified at time of analysis, indicating limited near-term exploitation pressure despite the high CVSS.
Within 24 hours: Alert all Chrome users to update immediately to version 148.0.7778.216 or later; validate auto-update settings are enabled. Within 7 days: Conduct audits of 10% of workstations to confirm patch deployment and verify no blocking policies prevent updates. Within 30 days: Run endpoint scanning across all systems to achieve 100% compliance with Chrome 148.0.7778.216 or later; escalate any blockers to IT leadership.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Red Hat, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-10022
This Week
Type confusion in the V8 JavaScript engine of Google Chrome before 148.0.7778.216 enables arbitrary code execution within the renderer sandbox when a user installs a malicious extension. The flaw requires user interaction (extension installation) and is rated 8.8 (High) by CVSS, though Chromium internally rated it Medium severity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Within 24 hours: Announce mandatory Chrome update to 148.0.7778.216 or later; restrict extension installation where possible. Within 7 days: Deploy Chrome 148.0.7778.216+ via MDM/patch management to all endpoints; verify rollout completion. Within 30 days: Audit installed extensions, implement extension allowlisting, and establish policies to restrict future installation.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-10007
This Week
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the SVG rendering component, allowing remote attackers to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. Rated High severity by the Chromium project with a CVSS score of 8.8, the issue requires user interaction (visiting a malicious page) but no authentication. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Within 24 hours: Issue security alert to all Chrome users recommending immediate update and advising caution with untrusted websites; prepare deployment package for Chrome version 148.0.7778.216 or later. Within 7 days: Deploy Chrome version 148.0.7778.216 or later to all managed devices using your software distribution system and monitor deployment completion. Within 30 days: Audit all systems to verify 100% patch compliance and document remediation for any devices that remain unpatched.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.1%
EPSS
44
Priority
CVE-2026-10013
This Week
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the WebCodecs component, allowing a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a malicious HTML page. The issue is rated High severity by Chromium with a CVSS 3.1 score of 8.8, and a vendor patch is available, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV. Successful exploitation requires user interaction (visiting a crafted page), and code execution is constrained to the Chrome sandbox unless chained with a sandbox-escape bug.
Within 24 hours: Issue security alert to employees advising immediate browser updates; verify patch deployment capability in your environment. Within 7 days: Deploy Chrome 148.0.7778.216 or later across all endpoints using your standard patch management process. Within 30 days: Confirm 100% compliance through endpoint management tools and disable or restrict WebCodecs at the group policy level if your business does not require it.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.1%
EPSS
44
Priority
CVE-2026-10015
This Week
Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the WTF (Web Template Framework) component, exploitable when a victim visits a crafted HTML page. The flaw carries a CVSS 8.8 (High) rating and Chromium-assigned High severity, requires user interaction (UI:R) to load the malicious page, and no public exploit identified at time of analysis. While code execution is constrained to the renderer sandbox, this remains a strong primitive for chaining with sandbox escapes in real-world exploit kits.
Within 24 hours: Audit all Chrome deployments and identify systems running versions prior to 148.0.7778.216; communicate patch urgency to deployment teams. Within 7 days: Test Chrome version 148.0.7778.216 in controlled environments, verify business-critical extension compatibility, and prepare rollout procedures. Within 30 days: Deploy Chrome 148.0.7778.216 across all organizational endpoints and validate successful updates via inventory systems.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.1%
EPSS
44
Priority
CVE-2026-10016
This Week
Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows attackers to run arbitrary code inside the browser's renderer sandbox through a crafted HTML page that triggers a use-after-free condition in the DOM implementation. The flaw, rated High severity by Chromium and carrying a CVSS 8.8 score, requires only that a victim visit a malicious or compromised webpage, making it well-suited for drive-by attacks despite no public exploit identified at time of analysis.
Within 24 hours: Announce the security update (Chrome version 148.0.7778.216 or later) to all staff and enable automatic updates. Within 7 days: Verify via endpoint management or MDM that at least 90% of Chrome instances are on the patched version. Within 30 days: Conduct full inventory reconciliation to confirm 100% compliance and review any lagging systems for evidence of compromise.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: rce
- • Third-party ICT: Red Hat, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.1%
EPSS
44
Priority
CVE-2026-10020
This Week
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting the Skia graphics library. Exploitation requires user interaction (visiting a malicious page) and chained renderer compromise, raising attack complexity, but the resulting scope change and full CIA impact make it a high-severity issue. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%, 15th percentile).
Within 24 hours: Identify Chrome for Android deployment scope across organizational and BYOD devices; issue advisory notifying users of patch availability. Within 7 days: Push automated updates to Chrome version 148.0.7778.216 or later, or publish documented deployment steps for manual installation. Within 30 days: Audit update compliance; verify ≥95% of devices running patched version; review device logs for anomalous behavior during unpatched exposure window.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-20: Improper Input Validation)
- • Third-party ICT: Red Hat, SUSE
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.3
CVSS
0.0%
EPSS
42
Priority
CVE-2026-10000
This Week
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out via a use-after-free in the Passwords component, delivered through a crafted HTML page. Exploitation requires user interaction and high attack complexity, and no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High and a vendor patch is available.
Within 24 hours: audit Chrome version distribution on Windows endpoints and establish patch deployment timeline. Within 7 days: validate Chrome 148.0.7778.216 in test environment and begin staged rollout to production. Within 30 days: complete deployment of Chrome 148.0.7778.216 across all Windows systems and confirm deployment completion.
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Red Hat, SUSE
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: Red Hat (Infrastructure & Virtualization)
- • ICT provider: SUSE (Infrastructure & Virtualization)
8.3
CVSS
0.0%
EPSS
42
Priority
By Exposure
Internet-facing
16
Mgmt / Admin Plane
1
Identity / Auth
0
Internal only
12
By Exploitability
Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
23
Local only
0
By Remediation
Patch available
25
No patch
3
Workaround available
7
No workaround
3
Affected Services / Product Families
Red Hat
28 CVE(s)
+ 18 more