Google

Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.

Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.

This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.

Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.

OpenClaw webhook handlers for BlueBubbles and Google Chat prior to version 2026.3.2 fail to validate authentication before parsing request bodies, allowing unauthenticated remote attackers to trigger denial of service by sending maliciously crafted or oversized payloads. Successful exploitation exhausts parser resources and degrades service availability, with no patch currently available. The vulnerability affects all Google products using the vulnerable OpenClaw versions.

The BulkEmbed plugin in AVideo fails to validate thumbnail URLs in its save endpoint, allowing authenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and retrieve responses from internal network resources. An attacker can supply malicious URLs via the bulk embed feature to force the server to make HTTP requests to internal systems and view the cached thumbnail responses. This vulnerability affects PHP-based AVideo installations and requires authentication to exploit.

Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data.

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

PinchTab contains a Server-Side Request Forgery (SSRF) vulnerability in its /download endpoint that allows unauthenticated attackers to bypass URL validation and cause the embedded Chromium browser to make requests to internal network services. The vulnerability affects PinchTab versions 0.7.x and 0.8.x when the security.allowDownload setting is enabled (disabled by default), and exploits a validation gap where only the initial user-supplied URL is checked while subsequent browser-initiated requests (redirects, JavaScript navigations, resource fetches) bypass this protection entirely. Although the attacker cannot receive response bodies from internal services (blind SSRF), they can trigger state-changing endpoints on localhost or private network addresses reachable from the PinchTab host, with a proof-of-concept publicly available demonstrating counter increments on internal services.

OpenClaw Gateway versions prior to 2026.2.22 leak authentication tokens through Chrome DevTools Protocol (CDP) probe traffic on loopback interfaces, allowing local attackers to intercept the x-OpenClaw-relay-token header and reuse it for unauthorized Gateway access. An attacker with local network access or control of a loopback port can capture reachability probes to the /json/version endpoint and escalate privileges by replaying the stolen token as bearer authentication. A vendor patch is available, and this vulnerability has been documented by VulnCheck with references to the official GitHub security advisory and patch commit.

WP Go Maps (formerly WP Google Maps) plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'wpgmza_custom_js' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Subscriber-level privileges or higher can inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 10.0.05, with a CVSS score of 6.4 indicating moderate severity but significant practical impact due to low attack complexity and the ability to affect site-wide functionality.

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's LiveLinks proxy endpoint allows unauthenticated attackers to access internal services and cloud metadata by exploiting missing validation on HTTP redirect targets. The vulnerability enables attackers to bypass initial URL validation through a malicious redirect, potentially exposing AWS/GCP/Azure instance metadata including IAM credentials. A detailed proof-of-concept is available and a patch has been released by the vendor.

A security vulnerability in A vulnerability exists in the Community Tier of Harden-Runner that (CVSS 4.9). Remediation should follow standard vulnerability management procedures.

A remote code execution vulnerability in CityData CityChat (CVSS 2.5). Risk factors: public PoC available.

A remote code execution vulnerability in Albert Sağlık Hizmetleri ve Ticaret Albert Health (CVSS 2.5). Risk factors: public PoC available.

A weakness has been identified in La Nacion App 10.2.25 on Android.

A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.

SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.

A hard-coded credentials vulnerability exists in the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS Android application (versions up to 1.0.2) where attackers can manipulate ACCESS_KEY and HASH_KEY arguments in the BuildConfig.java component to extract embedded credentials. The vulnerability requires local execution on the device and grants only confidentiality impact (CWE-798: Use of Hard-Coded Credentials), but the existence of a published exploit and vendor non-responsiveness elevate practical risk despite the low CVSS score of 3.3.

A local information disclosure vulnerability exists in myAEDES App versions up to 1.18.4 on Android, stemming from improper handling of the AUTH_KEY argument in the EngageBayUtils.java component. An authenticated local attacker with high complexity can manipulate this parameter to disclose sensitive information, though the attack requires local device access and significant technical effort. A public proof-of-concept exploit is now available, and the vendor has not responded to early disclosure attempts.

A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.

Hard-coded credentials exist in the i-SENS SmartLog Android application (versions up to 2.6.8) within a developer mode function used for Bluetooth pairing configuration between blood glucose meters and the mobile app. An attacker with local access and low privileges can exploit this to obtain credentials, potentially compromising the integrity and confidentiality of health data. A public proof-of-concept is available, though the CVSS 5.3 score and local-only attack vector limit immediate widespread exploitation risk.

Samsung Assistant versions prior to 9.3.10.7 contain an improper export of Android application components vulnerability that allows a local attacker with low privilege access to read sensitive saved information from the application. The vulnerability has a CVSS score of 4.8 with low complexity and no user interaction required, making it a moderate-risk issue affecting users on vulnerable Samsung devices. While no active exploitation or public proof-of-concept is documented at this time, the local attack vector and information disclosure impact warrant timely patching.

Google's Secure Folder prior to the March 2026 SMR release improperly exports Android application components, enabling local attackers to execute arbitrary activities with Secure Folder privileges. This high-severity vulnerability affects users with local device access and could allow privilege escalation or unauthorized access to protected data. No patch is currently available.

Microsoft Edge (Chromium-based) for Android contains a spoofing vulnerability that allows attackers to manipulate the presentation of content or identity through a network-based attack requiring user interaction. The vulnerability affects Microsoft Edge on Android devices and has a CVSS score of 5.0, indicating moderate severity with low impact on confidentiality, integrity, and availability. While the CVSS vector indicates User Interaction is Required and Attack Complexity is High, the vulnerability is not currently listed as actively exploited in known vulnerability databases, though the Reliability Rating of Confirmed suggests vendor verification.

A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.

Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.

Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers.

Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Rich Showcase for Google Reviews widget (richplugins plugin) affecting versions through 6.9.4.3, where improper input neutralization during web page generation allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. An attacker with administrative or plugin configuration access can store XSS payloads that will be executed for any user viewing the affected widget, potentially leading to session hijacking, credential theft, or defacement. While the CVSS score of 5.9 indicates moderate severity and requires user interaction and high privileges to exploit, the stored nature of this vulnerability means the payload persists and affects multiple users passively.

Tolgee is an open-source localization platform. versions up to 3.166.3 is affected by improper restriction of xml external entity reference.

Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).

Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 4.3).

Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Insufficient policy enforcement in PDF in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Insufficient policy enforcement in Clipboard in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Incorrect security UI in Downloads in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.

Use after free in WebView in Google Chrome on Android versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Insufficient policy enforcement in ChromeDriver in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Insufficient policy enforcement in PDF in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.

Heap buffer overflow in Skia in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).

Unsafe navigation in Navigation in Google Chrome on iOS versions up to 146.0.7680.71 contains a security vulnerability.

Side-channel information leakage in ResourceTiming in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 3.1).

Insufficient policy enforcement in Extensions in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.

Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).

Incorrect security UI in LookalikeChecks in Google Chrome on Android versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).

use after free in WindowDialog in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 7.5).

Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).

Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).

Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.

Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).

Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).

Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).

Local privilege escalation in Android results from an out-of-bounds write vulnerability caused by insufficient bounds validation. A local attacker with limited privileges can exploit this flaw without user interaction to gain elevated system permissions. No patch is currently available.

Uncontrolled buffer writes in Android's EfwApTransport component allow local attackers to achieve privilege escalation without requiring user interaction or special permissions. The vulnerability stems from insufficient bounds checking in the ProcessRxRing function, enabling an attacker with local access to corrupt kernel memory and gain elevated privileges.

Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.

Modem has a fifth OOB write enabling remote privilege escalation.

An out-of-bounds write vulnerability in Android's USIM registration component allows an attacker with physical access to escalate privileges without requiring additional permissions or user interaction. The memory corruption flaw in usim_SendMCCMNCIndMsg could enable complete compromise of affected devices. No patch is currently available for this vulnerability.

Oobconfig on Android contains a logic error that allows local attackers to circumvent carrier restrictions and escalate privileges without requiring additional execution capabilities or user interaction. This vulnerability enables unauthorized privilege elevation on affected devices through a straightforward exploitation path. No patch is currently available to remediate this issue.

Local privilege escalation in Android's Media Framework Codec (MFC) decoder results from an out-of-bounds write vulnerability in the mfc_dec_dqbuf function due to inadequate bounds validation. An attacker with local access can exploit this defect without special privileges or user interaction to gain elevated system permissions. No patch is currently available for this vulnerability.

Samsung/Google MFC driver has an OOB write in mfc_core_isr.c enabling kernel-level privilege escalation on Android devices.

Modem has a fourth OOB write due to incorrect bounds check.

Modem has a third OOB write in cell broadcast utilities.

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Modem OOB write in cell broadcast utilities enabling privilege escalation.

Samsung/Qualcomm modem has an out-of-bounds write in NR SM message handling enabling privilege escalation through crafted cellular signaling.

Android versions up to - is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.