Skip to main content

Google

13978 CVEs vendor

Monthly

CVE-2026-7896 HIGH PATCH This Week

Heap corruption in Google Chrome prior to 148.0.7778.96 allows remote attackers to execute arbitrary code via a maliciously crafted HTML page exploiting an integer overflow in the Blink rendering engine. The vulnerability requires user interaction (visiting a malicious webpage) but no authentication, enabling drive-by attacks against default Chrome installations. Google has assigned this a Critical severity rating and released version 148.0.7778.96 to address the issue. No active exploitation (CISA KEV) or public POC has been identified at time of analysis, though the technical details are publicly documented in the Chromium issue tracker.

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-42184 Cargo MEDIUM PATCH GHSA This Month

Origin confusion in Tauri's is_local_url() function on Windows and Android allows remote attackers to invoke local-only IPC commands by hosting content on a domain whose first subdomain matches the application's custom URI scheme. An attacker can register a domain like http://app.evil.com/ to bypass origin validation when the target application uses an app:// custom protocol, gaining unauthorized access to backend functionality intended only for the application's own frontend. A public proof-of-concept demonstrates successful command invocation through this bypass.

Google SSRF Microsoft
NVD GitHub
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-43164 HIGH PATCH This Week

Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.

Google Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43882 PHP MEDIUM PATCH GHSA This Month

Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.

Microsoft PHP CSRF Mozilla Apple +1
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42260 npm HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in open-webSearch's fetchWebContent MCP tool enables remote unauthenticated attackers to fetch arbitrary private-network URLs and receive full response bodies. Two defects in the `isPrivateOrLocalHostname` validator combine to allow bypass: bracketed IPv6 literals (e.g., `[::ffff:7f00:1]`) are never validated because Node's URL.hostname preserves brackets and Node's isIP() returns 0 for bracketed strings, and DNS resolution is never performed so attacker-controlled hostnames resolving to RFC1918 addresses pass unchecked. When deployed with HTTP transport enabled (documented configuration, active in Docker image), the MCP server binds to 0.0.0.0:3000 with CORS origin='*' and no authentication, exposing the vulnerable tool to any network attacker. Fixed in version 2.1.7. No public exploit identified at time of analysis, but vendor-supplied proof-of-concept demonstrates full exploit chain against AWS EC2 metadata and localhost services.

Microsoft SSRF Node.js Docker Apple +1
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-42207 PHP MEDIUM PATCH GHSA This Month

Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated `uenc` parameter in the ProductAlert `stockAction()` controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the `_isUrlInternal()` validation check present in the analogous `priceAction()` method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.

PHP Google Open Redirect
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-43875 PHP MEDIUM PATCH GHSA This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-40893 Go HIGH PATCH GHSA This Week

Remote unauthenticated attackers can bypass ExifTool tag blocklist in Gotenberg 8.x via group-prefixed tag names (e.g., 'System:FileName' instead of 'FileName'), enabling arbitrary file renaming, relocation, and permission modification within the container filesystem. One HTTP request exploits this input validation bypass (CWE-20) to circumvent protections from a prior security fix (GHSA-qmwh-9m9c-h36m). The vulnerability affects all metadata-accepting endpoints in Gotenberg's default configuration, which typically runs without authentication. No public exploit code is confirmed, but a detailed proof-of-concept is published in the GitHub advisory (GHSA-62p3-hvxx-fxg4). CVSS 8.2 reflects network vector with no authentication required, though real-world impact depends on container isolation and shared volume configurations.

Docker Information Disclosure Google
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-42090 CRITICAL PATCH Act Now

Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.

Google Apple RCE XSS
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-42811 Maven CRITICAL PATCH GHSA Act Now

CEL injection in Apache Polaris 1.4.0 allows authenticated users to escape credential access boundaries on Google Cloud Storage. Attackers can craft namespace or table identifiers containing single quotes and CEL fragments to break out of quoted strings in Credential Access Boundary conditions, escalating temporary table-scoped GCS credentials to effectively bucket-wide access. Confirmed in private testing: attackers obtained credentials intended for one table but successfully listed, read, created, and deleted objects across unrelated tables and external prefixes within the entire configured bucket. EPSS data not yet available for this recent CVE; CVSS 9.4 reflects critical confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (scope changed).

Google Apache Information Disclosure
NVD VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-7686 MEDIUM POC PATCH This Month

Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale.

Authentication Bypass Google Chrome
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7671 LOW POC Monitor

Improper restriction of excessive authentication attempts in CodeWise Tornet Scooter Mobile App 4.75 on iOS and Android allows remote attackers to bypass rate-limiting controls on the /TwoFactor endpoint, potentially enabling brute-force attacks against two-factor authentication mechanisms. Publicly available exploit code exists. The vendor did not respond to early disclosure notification.

Google Information Disclosure Apple
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-6229 HIGH This Week

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

SSRF Google WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-7638 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress Apple
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23866 MEDIUM PATCH This Month

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.

Google Information Disclosure Apple
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-31699 HIGH PATCH This Week

Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Google Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31698 HIGH PATCH This Week

Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.

Memory Corruption Buffer Overflow Google Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31697 HIGH PATCH This Week

Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Memory Corruption Buffer Overflow Google Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43016 HIGH PATCH This Week

Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Google Information Disclosure Linux Use After Free Memory Corruption +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40281 Go CRITICAL PATCH GHSA Act Now

Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q.

Google RCE Docker
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-39383 Go MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in Gotenberg 8.29.1 Docker image enables remote unauthenticated attackers to probe internal networks and trigger POST requests to arbitrary internal/external endpoints via the Gotenberg-Webhook-Url header. CVSS 8.6 High with Changed Scope (S:C) reflects the ability to pivot from the Gotenberg container to internal services. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-5vh4-rgv7-p9g4). Vendor-released patch 8.31.0 implements IP resolution and non-public address blocking to prevent DNS rebinding and RFC1918/link-local targeting.

Google SSRF Docker
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-40280 Go HIGH PATCH GHSA This Week

Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.

Google SSRF Docker
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-41643 Go HIGH PATCH GHSA This Week

Remote unauthenticated denial of service crashes GoBGP routing daemon via malformed BGP UPDATE message exploiting index-out-of-bounds panic. Attackers send crafted BGP UPDATE with AS4_PATH attribute preceding AS_PATH, causing slice index mismanagement in UpdatePathAttrs4ByteAs function (internal/pkg/table/message.go). Publicly available exploit code exists with hex-level proof-of-concept payload demonstrating immediate process termination. Affects GoBGP v4.2.0 and earlier; vendor-released patch v4.3.0 available per GitHub advisory GHSA-8rxh-r2p6-7f2q. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-accessible, low-complexity attack requiring no privileges, resulting in complete routing service disruption.

Google Denial Of Service Suse Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7355 HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7340 MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Google Buffer Overflow Microsoft Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7339 HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Buffer Overflow Google Heap Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7341 HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7342 HIGH PATCH This Week

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7338 HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7345 HIGH PATCH This Week

Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-7346 HIGH PATCH This Week

Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7347 HIGH PATCH This Week

Use after free in Chromoting in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7337 HIGH PATCH This Week

Type Confusion in V8 in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7336 HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7335 HIGH PATCH This Week

Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7348 HIGH PATCH This Week

Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7349 HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7350 HIGH PATCH This Week

Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-7351 LOW PATCH Monitor

Race in MHTML in Google Chrome prior to 147.0.7727.138 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: High)

Information Disclosure Google Race Condition Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7352 HIGH PATCH This Week

Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-7353 HIGH PATCH This Week

Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Heap Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-7354 HIGH PATCH This Week

Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7356 HIGH PATCH This Week

Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7357 HIGH PATCH This Week

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7334 HIGH PATCH This Week

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7358 HIGH PATCH This Week

Use after free in Animation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7359 HIGH PATCH This Week

Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7360 LOW PATCH Monitor

Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7333 CRITICAL PATCH Act Now

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-7343 HIGH PATCH This Week

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7344 HIGH PATCH This Week

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7361 HIGH PATCH This Week

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Memory Corruption Apple Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7363 HIGH PATCH This Week

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-40453 Maven CRITICAL PATCH GHSA Act Now

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Microsoft RCE Google Canonical Apache +1
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-30346 MEDIUM This Month

An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL.

Google Open Redirect N A
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41432 Go HIGH PATCH GHSA This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python RCE
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31592 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock Take and hold kvm->lock for before checking sev_guest() in sev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock is held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't rollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add to a not-yet-initialized sev->regions_list, e.g. triggering a #GP Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83 Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00 RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256 RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000 RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000 R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000 R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000 FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0 Call Trace: <TASK> kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371 kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363 __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f34e9f7e9a9 Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9 RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007 RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8 </TASK> with a syzlang reproducer that looks like: syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async) syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async) ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async) r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) close(r0) (async) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async) ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async) ioctl$KVM_RUN(r5, 0xae80, 0x0) Opportunistically use guard() to avoid having to define a new error label and goto usage.

Linux Google Null Pointer Dereference Canonical Denial Of Service +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31551 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] The problem is that aql_enable_write() does not serialise concurrent write()s to the debugfs. aql_enable_write() checks static_key_false(&aql_disable.key) and later calls static_branch_inc() or static_branch_dec(), but the state may change between the two calls. aql_disable does not need to track inc/dec. Let's use static_branch_enable() and static_branch_disable(). [0]: val == 0 WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 Modules linked in: CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) Tainted: [U]=USER, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 Call Trace: <TASK> __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] __static_key_slow_dec kernel/jump_label.c:321 [inline] static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 vfs_write+0x2aa/0x1070 fs/read_write.c:684 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f530cf9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 </TASK>

Google Information Disclosure Integer Overflow Linux Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5488 MEDIUM This Month

ExactMetrics Google Analytics Dashboard for WordPress versions up to 9.1.2 allow authenticated subscribers to retrieve Google Ads access tokens and reset Google Ads integration settings through missing authorization checks in AJAX handlers. Although a nonce is verified, two AJAX endpoints (get_ads_access_token and reset_experience) lack the capability checks present in similar endpoints, enabling attackers with subscriber-level access to perform administrative actions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects network-accessible unauthenticated exploitation, but the description indicates authenticated subscriber access is required, creating a discrepancy between reported CVSS and actual attack prerequisites.

PHP Google Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6921 HIGH PATCH This Week

Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Race Condition Information Disclosure Microsoft Google Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-6920 CRITICAL PATCH Act Now

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-6919 CRITICAL PATCH Act Now

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service Use After Free Chrome
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-3259 HIGH PATCH This Week

Information disclosure in Google BigQuery materialized view refresh allows authenticated users to extract sensitive data via crafted views that generate error messages containing confidential information. Google Cloud Platform patched this server-side vulnerability on 29 January 2026 with automatic remediation requiring no customer action. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network-accessible attack vector and low attack complexity, though no public exploit or CISA KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-5464 HIGH This Week

Authenticated Editor-level attackers can achieve Remote Code Execution in ExactMetrics WordPress plugin (all versions ≤9.1.2) by chaining exposed onboarding credentials to install and activate arbitrary plugin ZIP files from attacker-controlled URLs. The attack exploits a missing authorization check in the 'exactmetrics_connect_process' AJAX endpoint that accepts the one-time hash token obtained via the exposed 'onboarding_key' transient-effectively bypassing plugin installation controls. EPSS and KEV status unknown; CVSS 7.2 reflects high-privilege requirement (PR:H) but direct path to RCE makes this a critical risk for multi-author WordPress sites where Editors have dashboard viewing permissions. Wordfence advisory and source code references confirm the vulnerability chain across three distinct code locations in versions through 9.1.1.

RCE Google Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-41673 npm HIGH PATCH GHSA This Week

Denial of service in @xmldom/xmldom Node.js XML library allows remote attackers to crash applications via deeply nested XML documents. Seven DOM traversal methods (normalize, serializeToString, getElementsByTagName, cloneNode, importNode, textContent getter, isEqualNode) implement unbounded recursion consuming call stack frames until RangeError exception terminates the process. Exploitation requires no authentication - attackers send a single valid XML payload nested ~5,000-10,000 levels deep to trigger stack exhaustion in any subsequent DOM operation. Browser implementations of identical DOM methods use iterative C++ code and are unaffected. CVSS 8.7 High severity reflects network attack vector with no complexity barriers. Vendor-released patches (0.8.13, 0.9.10) replace all recursive traversals with iterative 'walkDOM' utility consuming heap instead of stack. Legacy unscoped 'xmldom' package (≤0.6.0) remains unfixed.

Node.js Google Denial Of Service
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41675 npm HIGH PATCH GHSA This Week

XML node injection in @xmldom/xmldom allows remote unauthenticated attackers to inject arbitrary XML elements by embedding the processing instruction closing delimiter `?>` in PI data. The serializer emits attacker-controlled data verbatim without escaping or validation, causing the remainder of the payload to be interpreted as active XML markup. Publicly available exploit code exists (GitHub PoC from April 2026). EPSS data not provided; CVSS 8.7 reflects high integrity impact (VI:H) with network vector and no authentication required. Patch available in versions 0.8.13+ and 0.9.10+ but requires opt-in `requireWellFormed: true` flag - default behavior remains vulnerable for backward compatibility.

Apple Google Mozilla RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41672 npm HIGH PATCH GHSA This Week

XML node injection in the @xmldom/xmldom npm package allows remote attackers to inject arbitrary XML elements via maliciously crafted comment content containing the sequence '-->' which prematurely terminates comments during serialization. Applications processing untrusted input through createComment() or manipulating comment node data can emit structurally altered XML that downstream consumers parse as attacker-controlled elements. Public exploit code exists (GitHub PR #987). CVSS:4.0 rates this 8.7 (High) with network vector, low complexity, and no privileges required. Vendor-released patches require opt-in protection flag { requireWellFormed: true } to maintain backward compatibility with W3C spec defaults; existing code remains vulnerable unless explicitly migrated.

Information Disclosure Apple Google Mozilla
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41238 npm MEDIUM PATCH GHSA This Month

DOMPurify versions 3.0.1 through 3.3.3 fail to prevent prototype pollution-based XSS attacks when using default configurations. An attacker who can exploit a prototype pollution gadget elsewhere in the application can pollute Object.prototype with permissive regex values, causing DOMPurify to bypass sanitization and allow arbitrary custom elements with event handler attributes. The vulnerability affects the standard DOMPurify.sanitize(userInput) call without requiring special configuration.

Google XSS Red Hat Chrome
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-31192 MEDIUM This Month

Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.

Information Disclosure Google Chrome
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6294 MEDIUM This Month

Cross-Site Request Forgery in Google PageRank Display plugin for WordPress (versions up to 1.4) allows unauthenticated attackers to trick logged-in administrators into changing plugin settings via a crafted request, due to missing nonce validation in the settings form handler. The vulnerability has a CVSS score of 4.3 (network-based, low complexity, requires user interaction) and enables modification of plugin configuration such as display style without administrator knowledge.

CSRF WordPress Google
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40451 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in DeepL Chrome browser extension versions 1.22.0 through 1.23.0 allows remote attackers to execute arbitrary JavaScript and inject malicious HTML into web pages viewed by users. The vulnerability requires user interaction with a malicious web page but can compromise the security context of all visited websites.

XSS Google Chrome Browser Extension
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-6756 HIGH PATCH This Week

A mitigation bypass in Firefox for Android allows remote attackers to achieve high-impact integrity violations without authentication or user interaction. Fixed in Firefox 150, this CWE-200 information disclosure flaw enables attackers to circumvent existing security controls via network-based vectors. Despite a CVSS base score of 7.5 (High), real-world exploitation risk appears limited: EPSS probability is only 0.02% (5th percentile), no public exploit code has been identified, and CISA SSVC framework rates it as non-exploited with partial technical impact, though automatable.

Google Information Disclosure Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39973 Maven HIGH PATCH GHSA This Week

Path traversal in Apktool 3.0.0-3.0.1 enables malicious APK files to write arbitrary files during decoding operations, potentially achieving remote code execution by overwriting shell configuration files or startup scripts. This security regression, introduced December 12, 2025 when sanitization controls were removed from resource decoder logic, allows attackers to embed directory traversal sequences in APK metadata that escape output directories and target critical system files like ~/.ssh/config or Windows Startup folders. CVSS 7.1 with local attack vector and required user interaction. No active exploitation (CISA KEV) or public POC identified at time of analysis, but exploit development is straightforward given the detailed technical disclosure in GitHub advisory GHSA-m8mh-x359-vm8m.

Path Traversal Microsoft Google
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-39866 HIGH This Week

Command injection in Lawnchair's GitHub Actions workflow allows authenticated repository contributors to execute arbitrary code on GitHub-hosted CI/CD runners. The vulnerability affects Lawnchair for Android versions prior to commit fcba413f5 and stems from unsanitized workflow_dispatch inputs in release_update.yml. Authenticated attackers with repository write access can inject shell commands through workflow parameters, achieving full code execution in the build environment. A patch is available (commit fcba413f5), and the CVSS vector indicates this is a network-accessible, low-complexity attack requiring low privileges. CVSS v4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact scoped to the vulnerable CI/CD system. EPSS data not provided; no CISA KEV listing at time of analysis.

Command Injection RCE Google
NVD GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-40491 PyPI MEDIUM PATCH This Month

gdown prior to version 5.2.2 allows remote attackers to write arbitrary files outside the intended extraction directory via maliciously crafted ZIP or TAR archives due to insufficient path traversal validation in the extractall functionality. An attacker can craft a malicious archive with path traversal sequences (e.g., ../ entries) in filenames, which when extracted by a user, permits file overwrite and potential remote code execution. The vulnerability requires user interaction (UI:R) to trigger extraction but affects all unauthenticated remote users downloading via the gdown library.

Path Traversal RCE Google
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13364 MEDIUM This Month

Stored XSS in WP Maps plugin for WordPress allows authenticated contributors to inject malicious scripts via the 'put_wpgm' shortcode due to insufficient input sanitization and output escaping. Attackers with contributor-level access and above can craft malicious shortcode attributes that persist in page content and execute for all subsequent visitors. All versions up to 4.8.7 are affected; patched version 4.8.8 is available.

XSS WordPress Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3581 MEDIUM This Month

Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5050 HIGH This Week

Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Information Disclosure Jwt Attack WordPress Google
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6364 MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)

Information Disclosure Buffer Overflow Google Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6319 HIGH PATCH This Week

Remote code execution in Google Chrome on Android versions prior to 147.0.7727.101 is possible through a use-after-free vulnerability in the Payments feature. Attackers who successfully convince users to perform specific UI interactions on a malicious webpage can achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), indicating social engineering is necessary. Google has released Chrome 147.0.7727.101 to address this issue. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code has been identified at time of analysis.

Use After Free Memory Corruption Google Denial Of Service RCE +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-6318 HIGH PATCH This Week

Arbitrary code execution within Chrome's sandbox affects all versions prior to 147.0.7727.101 via crafted HTML pages exploiting a use-after-free in codec processing. Remote attackers require user interaction (visiting a malicious page) but need no authentication. CVSS 8.8 (High) with network attack vector, low complexity, and high impact across confidentiality, integrity, and availability. Google patched this in the stable channel update released April 15, 2026. No public exploit code or CISA KEV listing identified at time of analysis, though Chromium issue tracker #495996858 indicates vendor-confirmed vulnerability. The sandbox containment limits initial exploitation to Chrome's restricted environment, not direct system compromise.

Use After Free Memory Corruption Google Denial Of Service RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6363 HIGH PATCH This Week

Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Memory Corruption Google Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6317 HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free Memory Corruption Google Denial Of Service RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6362 MEDIUM PATCH This Month

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)

Denial Of Service Memory Corruption Use After Free Google Chrome
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6361 HIGH PATCH This Week

Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

Microsoft Google Heap Overflow Buffer Overflow RCE +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-6316 HIGH PATCH This Week

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free Memory Corruption Google Denial Of Service RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6315 HIGH PATCH This Week

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free Memory Corruption Google Denial Of Service RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-6314 HIGH PATCH This Week

Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Buffer Overflow Google Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-6313 LOW PATCH Monitor

Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-6312 LOW PATCH Monitor

Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome prior to 148.0.7778.96 allows remote attackers to execute arbitrary code via a maliciously crafted HTML page exploiting an integer overflow in the Blink rendering engine. The vulnerability requires user interaction (visiting a malicious webpage) but no authentication, enabling drive-by attacks against default Chrome installations. Google has assigned this a Critical severity rating and released version 148.0.7778.96 to address the issue. No active exploitation (CISA KEV) or public POC has been identified at time of analysis, though the technical details are publicly documented in the Chromium issue tracker.

Buffer Overflow Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Origin confusion in Tauri's is_local_url() function on Windows and Android allows remote attackers to invoke local-only IPC commands by hosting content on a domain whose first subdomain matches the application's custom URI scheme. An attacker can register a domain like http://app.evil.com/ to bypass origin validation when the target application uses an app:// custom protocol, gaining unauthorized access to backend functionality intended only for the application's own frontend. A public proof-of-concept demonstrates successful command invocation through this bypass.

Google SSRF Microsoft
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.

Google Linux Null Pointer Dereference +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.

Microsoft PHP CSRF +3
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in open-webSearch's fetchWebContent MCP tool enables remote unauthenticated attackers to fetch arbitrary private-network URLs and receive full response bodies. Two defects in the `isPrivateOrLocalHostname` validator combine to allow bypass: bracketed IPv6 literals (e.g., `[::ffff:7f00:1]`) are never validated because Node's URL.hostname preserves brackets and Node's isIP() returns 0 for bracketed strings, and DNS resolution is never performed so attacker-controlled hostnames resolving to RFC1918 addresses pass unchecked. When deployed with HTTP transport enabled (documented configuration, active in Docker image), the MCP server binds to 0.0.0.0:3000 with CORS origin='*' and no authentication, exposing the vulnerable tool to any network attacker. Fixed in version 2.1.7. No public exploit identified at time of analysis, but vendor-supplied proof-of-concept demonstrates full exploit chain against AWS EC2 metadata and localhost services.

Microsoft SSRF Node.js +3
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated `uenc` parameter in the ProductAlert `stockAction()` controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the `_isUrlInternal()` validation check present in the analogous `priceAction()` method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.

PHP Google Open Redirect
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Remote unauthenticated attackers can bypass ExifTool tag blocklist in Gotenberg 8.x via group-prefixed tag names (e.g., 'System:FileName' instead of 'FileName'), enabling arbitrary file renaming, relocation, and permission modification within the container filesystem. One HTTP request exploits this input validation bypass (CWE-20) to circumvent protections from a prior security fix (GHSA-qmwh-9m9c-h36m). The vulnerability affects all metadata-accepting endpoints in Gotenberg's default configuration, which typically runs without authentication. No public exploit code is confirmed, but a detailed proof-of-concept is published in the GitHub advisory (GHSA-62p3-hvxx-fxg4). CVSS 8.2 reflects network vector with no authentication required, though real-world impact depends on container isolation and shared volume configurations.

Docker Information Disclosure Google
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.

Google Apple RCE +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

CEL injection in Apache Polaris 1.4.0 allows authenticated users to escape credential access boundaries on Google Cloud Storage. Attackers can craft namespace or table identifiers containing single quotes and CEL fragments to break out of quoted strings in Credential Access Boundary conditions, escalating temporary table-scoped GCS credentials to effectively bucket-wide access. Confirmed in private testing: attackers obtained credentials intended for one table but successfully listed, read, created, and deleted objects across unrelated tables and external prefixes within the entire configured bucket. EPSS data not yet available for this recent CVE; CVSS 9.4 reflects critical confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (scope changed).

Google Apache Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale.

Authentication Bypass Google Chrome
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper restriction of excessive authentication attempts in CodeWise Tornet Scooter Mobile App 4.75 on iOS and Android allows remote attackers to bypass rate-limiting controls on the /TwoFactor endpoint, potentially enabling brute-force attacks against two-factor authentication mechanisms. Publicly available exploit code exists. The vendor did not respond to early disclosure notification.

Google Information Disclosure Apple
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

SSRF Google WordPress +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.

Google Information Disclosure Apple
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel's BPF sockmap implementation allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in sk_psock_verdict_data_ready() when handling AF_UNIX sockets, where sk->sk_socket can be accessed after being freed following sock_orphan(). This affects Linux kernel versions 5.15 through 6.19.12, with patches available for stable branches 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% indicates very low observed exploitation probability in the wild, and no active exploitation or public exploit code has been identified at time of analysis.

Google Information Disclosure Linux +4
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q.

Google RCE Docker
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Gotenberg 8.29.1 Docker image enables remote unauthenticated attackers to probe internal networks and trigger POST requests to arbitrary internal/external endpoints via the Gotenberg-Webhook-Url header. CVSS 8.6 High with Changed Scope (S:C) reflects the ability to pivot from the Gotenberg container to internal services. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-5vh4-rgv7-p9g4). Vendor-released patch 8.31.0 implements IP resolution and non-public address blocking to prevent DNS rebinding and RFC1918/link-local targeting.

Google SSRF Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.

Google SSRF Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated denial of service crashes GoBGP routing daemon via malformed BGP UPDATE message exploiting index-out-of-bounds panic. Attackers send crafted BGP UPDATE with AS4_PATH attribute preceding AS_PATH, causing slice index mismanagement in UpdatePathAttrs4ByteAs function (internal/pkg/table/message.go). Publicly available exploit code exists with hex-level proof-of-concept payload demonstrating immediate process termination. Affects GoBGP v4.2.0 and earlier; vendor-released patch v4.3.0 available per GitHub advisory GHSA-8rxh-r2p6-7f2q. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-accessible, low-complexity attack requiring no privileges, resulting in complete routing service disruption.

Google Denial Of Service Suse +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Google Buffer Overflow Microsoft +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Buffer Overflow Google Heap Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Use after free in Chromoting in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Type Confusion in V8 in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google RCE +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Race in MHTML in Google Chrome prior to 147.0.7727.138 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: High)

Information Disclosure Google Race Condition +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Heap Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Animation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Memory Corruption Apple +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Microsoft RCE Google +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL.

Google Open Redirect N A
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock Take and hold kvm->lock for before checking sev_guest() in sev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock is held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't rollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add to a not-yet-initialized sev->regions_list, e.g. triggering a #GP Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83 Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00 RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256 RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000 RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000 R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000 R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000 FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0 Call Trace: <TASK> kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371 kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363 __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f34e9f7e9a9 Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9 RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007 RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8 </TASK> with a syzlang reproducer that looks like: syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async) syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async) ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async) r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) close(r0) (async) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async) ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async) ioctl$KVM_RUN(r5, 0xae80, 0x0) Opportunistically use guard() to avoid having to define a new error label and goto usage.

Linux Google Null Pointer Dereference +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] The problem is that aql_enable_write() does not serialise concurrent write()s to the debugfs. aql_enable_write() checks static_key_false(&aql_disable.key) and later calls static_branch_inc() or static_branch_dec(), but the state may change between the two calls. aql_disable does not need to track inc/dec. Let's use static_branch_enable() and static_branch_disable(). [0]: val == 0 WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288 Modules linked in: CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full) Tainted: [U]=USER, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311 Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00 RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4 RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98 FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0 Call Trace: <TASK> __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] __static_key_slow_dec kernel/jump_label.c:321 [inline] static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 vfs_write+0x2aa/0x1070 fs/read_write.c:684 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f530cf9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010 RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000 R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 </TASK>

Google Information Disclosure Integer Overflow +3
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

ExactMetrics Google Analytics Dashboard for WordPress versions up to 9.1.2 allow authenticated subscribers to retrieve Google Ads access tokens and reset Google Ads integration settings through missing authorization checks in AJAX handlers. Although a nonce is verified, two AJAX endpoints (get_ads_access_token and reset_experience) lack the capability checks present in similar endpoints, enabling attackers with subscriber-level access to perform administrative actions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects network-accessible unauthenticated exploitation, but the description indicates authenticated subscriber access is required, creating a discrepancy between reported CVSS and actual attack prerequisites.

PHP Google Authentication Bypass +1
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Race Condition Information Disclosure Microsoft +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Information disclosure in Google BigQuery materialized view refresh allows authenticated users to extract sensitive data via crafted views that generate error messages containing confidential information. Google Cloud Platform patched this server-side vulnerability on 29 January 2026 with automatic remediation requiring no customer action. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network-accessible attack vector and low attack complexity, though no public exploit or CISA KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated Editor-level attackers can achieve Remote Code Execution in ExactMetrics WordPress plugin (all versions ≤9.1.2) by chaining exposed onboarding credentials to install and activate arbitrary plugin ZIP files from attacker-controlled URLs. The attack exploits a missing authorization check in the 'exactmetrics_connect_process' AJAX endpoint that accepts the one-time hash token obtained via the exposed 'onboarding_key' transient-effectively bypassing plugin installation controls. EPSS and KEV status unknown; CVSS 7.2 reflects high-privilege requirement (PR:H) but direct path to RCE makes this a critical risk for multi-author WordPress sites where Editors have dashboard viewing permissions. Wordfence advisory and source code references confirm the vulnerability chain across three distinct code locations in versions through 9.1.1.

RCE Google Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in @xmldom/xmldom Node.js XML library allows remote attackers to crash applications via deeply nested XML documents. Seven DOM traversal methods (normalize, serializeToString, getElementsByTagName, cloneNode, importNode, textContent getter, isEqualNode) implement unbounded recursion consuming call stack frames until RangeError exception terminates the process. Exploitation requires no authentication - attackers send a single valid XML payload nested ~5,000-10,000 levels deep to trigger stack exhaustion in any subsequent DOM operation. Browser implementations of identical DOM methods use iterative C++ code and are unaffected. CVSS 8.7 High severity reflects network attack vector with no complexity barriers. Vendor-released patches (0.8.13, 0.9.10) replace all recursive traversals with iterative 'walkDOM' utility consuming heap instead of stack. Legacy unscoped 'xmldom' package (≤0.6.0) remains unfixed.

Node.js Google Denial Of Service
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XML node injection in @xmldom/xmldom allows remote unauthenticated attackers to inject arbitrary XML elements by embedding the processing instruction closing delimiter `?>` in PI data. The serializer emits attacker-controlled data verbatim without escaping or validation, causing the remainder of the payload to be interpreted as active XML markup. Publicly available exploit code exists (GitHub PoC from April 2026). EPSS data not provided; CVSS 8.7 reflects high integrity impact (VI:H) with network vector and no authentication required. Patch available in versions 0.8.13+ and 0.9.10+ but requires opt-in `requireWellFormed: true` flag - default behavior remains vulnerable for backward compatibility.

Apple Google Mozilla +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XML node injection in the @xmldom/xmldom npm package allows remote attackers to inject arbitrary XML elements via maliciously crafted comment content containing the sequence '-->' which prematurely terminates comments during serialization. Applications processing untrusted input through createComment() or manipulating comment node data can emit structurally altered XML that downstream consumers parse as attacker-controlled elements. Public exploit code exists (GitHub PR #987). CVSS:4.0 rates this 8.7 (High) with network vector, low complexity, and no privileges required. Vendor-released patches require opt-in protection flag { requireWellFormed: true } to maintain backward compatibility with W3C spec defaults; existing code remains vulnerable unless explicitly migrated.

Information Disclosure Apple Google +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

DOMPurify versions 3.0.1 through 3.3.3 fail to prevent prototype pollution-based XSS attacks when using default configurations. An attacker who can exploit a prototype pollution gadget elsewhere in the application can pollute Object.prototype with permissive regex values, causing DOMPurify to bypass sanitization and allow arbitrary custom elements with event handler attributes. The vulnerability affects the standard DOMPurify.sanitize(userInput) call without requiring special configuration.

Google XSS Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.

Information Disclosure Google Chrome
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in Google PageRank Display plugin for WordPress (versions up to 1.4) allows unauthenticated attackers to trick logged-in administrators into changing plugin settings via a crafted request, due to missing nonce validation in the settings form handler. The vulnerability has a CVSS score of 4.3 (network-based, low complexity, requires user interaction) and enables modification of plugin configuration such as display style without administrator knowledge.

CSRF WordPress Google
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in DeepL Chrome browser extension versions 1.22.0 through 1.23.0 allows remote attackers to execute arbitrary JavaScript and inject malicious HTML into web pages viewed by users. The vulnerability requires user interaction with a malicious web page but can compromise the security context of all visited websites.

XSS Google Chrome Browser Extension
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A mitigation bypass in Firefox for Android allows remote attackers to achieve high-impact integrity violations without authentication or user interaction. Fixed in Firefox 150, this CWE-200 information disclosure flaw enables attackers to circumvent existing security controls via network-based vectors. Despite a CVSS base score of 7.5 (High), real-world exploitation risk appears limited: EPSS probability is only 0.02% (5th percentile), no public exploit code has been identified, and CISA SSVC framework rates it as non-exploited with partial technical impact, though automatable.

Google Information Disclosure Mozilla +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in Apktool 3.0.0-3.0.1 enables malicious APK files to write arbitrary files during decoding operations, potentially achieving remote code execution by overwriting shell configuration files or startup scripts. This security regression, introduced December 12, 2025 when sanitization controls were removed from resource decoder logic, allows attackers to embed directory traversal sequences in APK metadata that escape output directories and target critical system files like ~/.ssh/config or Windows Startup folders. CVSS 7.1 with local attack vector and required user interaction. No active exploitation (CISA KEV) or public POC identified at time of analysis, but exploit development is straightforward given the detailed technical disclosure in GitHub advisory GHSA-m8mh-x359-vm8m.

Path Traversal Microsoft Google
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Command injection in Lawnchair's GitHub Actions workflow allows authenticated repository contributors to execute arbitrary code on GitHub-hosted CI/CD runners. The vulnerability affects Lawnchair for Android versions prior to commit fcba413f5 and stems from unsanitized workflow_dispatch inputs in release_update.yml. Authenticated attackers with repository write access can inject shell commands through workflow parameters, achieving full code execution in the build environment. A patch is available (commit fcba413f5), and the CVSS vector indicates this is a network-accessible, low-complexity attack requiring low privileges. CVSS v4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact scoped to the vulnerable CI/CD system. EPSS data not provided; no CISA KEV listing at time of analysis.

Command Injection RCE Google
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

gdown prior to version 5.2.2 allows remote attackers to write arbitrary files outside the intended extraction directory via maliciously crafted ZIP or TAR archives due to insufficient path traversal validation in the extractall functionality. An attacker can craft a malicious archive with path traversal sequences (e.g., ../ entries) in filenames, which when extracted by a user, permits file overwrite and potential remote code execution. The vulnerability requires user interaction (UI:R) to trigger extraction but affects all unauthenticated remote users downloading via the gdown library.

Path Traversal RCE Google
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WP Maps plugin for WordPress allows authenticated contributors to inject malicious scripts via the 'put_wpgm' shortcode due to insufficient input sanitization and output escaping. Attackers with contributor-level access and above can craft malicious shortcode attributes that persist in page content and execute for all subsequent visitors. All versions up to 4.8.7 are affected; patched version 4.8.8 is available.

XSS WordPress Google
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Information Disclosure Jwt Attack WordPress +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)

Information Disclosure Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on Android versions prior to 147.0.7727.101 is possible through a use-after-free vulnerability in the Payments feature. Attackers who successfully convince users to perform specific UI interactions on a malicious webpage can achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), indicating social engineering is necessary. Google has released Chrome 147.0.7727.101 to address this issue. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code has been identified at time of analysis.

Use After Free Memory Corruption Google +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution within Chrome's sandbox affects all versions prior to 147.0.7727.101 via crafted HTML pages exploiting a use-after-free in codec processing. Remote attackers require user interaction (visiting a malicious page) but need no authentication. CVSS 8.8 (High) with network attack vector, low complexity, and high impact across confidentiality, integrity, and availability. Google patched this in the stable channel update released April 15, 2026. No public exploit code or CISA KEV listing identified at time of analysis, though Chromium issue tracker #495996858 indicates vendor-confirmed vulnerability. The sandbox containment limits initial exploitation to Chrome's restricted environment, not direct system compromise.

Use After Free Memory Corruption Google +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Memory Corruption Google +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free Memory Corruption Google +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)

Denial Of Service Memory Corruption Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

Microsoft Google Heap Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free Memory Corruption Google +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free Memory Corruption Google +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Chrome
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
Prev Page 20 of 156 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy