Skip to main content

Google

13975 CVEs vendor

Monthly

CVE-2026-13793 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13792 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS versions prior to 150.0.7871.47 stems from a use-after-free in the Touchbar component, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Reported through Google's internal Chrome security process and rated High by Chromium, it carries a CVSS 9.6 due to scope change and full CIA impact, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.21%. SSVC assesses current exploitation as none, indicating this is a patch-now-but-not-panic item.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13791 HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop before 150.0.7871.47 arises from insufficient input validation in the Downloads component, letting a crafted Chrome extension break out of its intended sandbox constraints. An attacker who first convinces a victim to install a malicious extension can leverage the flaw to run arbitrary code, which Chromium rates High severity. No public exploit has been identified at time of analysis and EPSS is low (0.15%, 5th percentile), indicating no observed widespread exploitation.

RCE Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13790 MEDIUM PATCH This Month

Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13789 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's GPU process (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6 due to a scope-changing (S:C) full-impact outcome, this is a use-after-free (CWE-416) memory-corruption bug. No public exploit identified at time of analysis; EPSS is low (0.21%, 11th percentile) and CISA SSVC lists exploitation as none, so it is a serious-but-not-yet-exploited patch priority.

Memory Corruption Denial Of Service Use After Free Google
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13788 HIGH PATCH This Week

Remote code execution in Google Chrome for Android before 150.0.7871.47 stems from a use-after-free in the Fullscreen component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and run arbitrary code in the renderer. Chromium rates the flaw Critical, though CVSS scores it 8.8 because exploitation requires the victim to open the malicious page. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), with CISA SSVC showing no known exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13787 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. High attack complexity (AC:H) means the memory-corruption race is non-trivial to win reliably, tempering the CVSS 8.1 score.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13786 HIGH PATCH This Week

Remote code execution in Google Chrome's Ozone platform-abstraction layer prior to 150.0.7871.47 lets a remote attacker execute arbitrary code by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated Critical by Chromium and CVSS 8.8, requiring the victim to visit a malicious page (UI:R) but no privileges. No public exploit has been identified at time of analysis and EPSS probability is low (0.26%), but the memory-corruption class and 'total' technical impact make it a high-priority browser patch.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13785 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS before 150.0.7871.47 stems from a use-after-free in the browser's Bluetooth component, letting a remote attacker who lures a user into specific UI gestures on a crafted HTML page corrupt memory and break out of the renderer sandbox. Rated Critical by Chromium and CVSS 9.6, though no public exploit has been identified and EPSS is low (0.22%, 13th percentile). A vendor fix is available and CISA SSVC currently marks exploitation as 'none'.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13784 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and performing specific UI gestures, potentially achieving code execution in the renderer/browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction. No public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile); SSVC lists exploitation as none but technical impact as total.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13783 HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework, fixed in 150.0.7871.47, lets a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page trigger heap corruption and potentially achieve code execution in the browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.22%.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13782 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Chromium rates the underlying use-after-free as Critical, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). A vendor patch is available and the flaw is a classic second-stage chain component rather than a standalone entry point.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-13781 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13780 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13779 HIGH PATCH This Week

Remote code execution in Google Chrome on ChromeOS (versions prior to 150.0.7871.47) stems from a use-after-free in the Chromoting (Chrome Remote Desktop) component, letting a remote attacker corrupt memory and execute arbitrary code through malicious network traffic. Google rates the Chromium severity as Critical, and CVSS scores it 8.1 with a high attack complexity. As of this analysis there is no public exploit identified and it is not listed in CISA KEV; EPSS is low at 0.24% (15th percentile), and SSVC records exploitation status as none.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13778 HIGH PATCH This Week

Local arbitrary code execution in Google Chrome for macOS (versions prior to 150.0.7871.47) stems from a use-after-free in the WebUSB implementation, which Chromium rates Critical. A local attacker who can present a malicious USB peripheral to a victim who authorizes it can corrupt renderer memory and run attacker-controlled code within the browser's context. There is no public exploit identified at time of analysis, and EPSS is low (0.16%, 5th percentile), reflecting limited likelihood of widespread opportunistic exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-13777 HIGH PATCH This Week

Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13776 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).

Memory Corruption Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-13775 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop prior to 150.0.7871.47 stems from a use-after-free in the GPU process, letting a remote attacker who has already compromised the renderer break out of the browser sandbox via a crafted HTML page. Google rates the Chromium severity as Critical, and a fix is available in the Stable channel update. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.22% (13th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-13774 HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free flaw in the Extensions component, which Chromium rated Critical severity. An attacker who convinces a victim to install a malicious extension can trigger the dangling-pointer condition through a crafted extension to run arbitrary code in the affected process. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and CISA/SSVC records no observed exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2022-31008 MEDIUM PATCH GHSA This Month

### Impact Shovel and Federation plugins perform URI obfuscation in their worker (link) state. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-8944 MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP Google Plugin For Google Analytics By Io Technologies
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13543 LOW POC PATCH Monitor

Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. Publicly available exploit code exists (GitHub issue #2758), though no active exploitation has been confirmed and the CVSS 4.0 AC:H rating indicates the attack requires precise manipulation of the OAuth callback flow.

Authentication Bypass Google Documenso
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.4%
CVE-2026-13514 LOW Monitor

Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. A public proof-of-concept is available, exploitation probability is very low given the physical access requirement, and the vendor has acknowledged the issue while noting it falls outside their bug bounty scope.

Authentication Bypass Google
NVD GitHub VulDB
CVSS 4.0
0.9
EPSS
0.1%
CVE-2026-13335 MEDIUM This Month

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.

WordPress XSS Google Codepeople Post Map For Google Maps
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-53283 MEDIUM PATCH This Month

Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.

Google Linux Amd Canonical Denial Of Service +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-9222 CRITICAL Act Now

Authentication bypass in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets an attacker who possesses a user's stored password hash authenticate directly to the backend and gain full account access. Because the backend treats the password hash itself as the secret credential, the hash is password-equivalent and does not need to be cracked back to plaintext. No public exploit identified at time of analysis; the issue was disclosed through CISA/ICS-CERT (advisory VA-26-176-01) and carries a high CVSS 4.0 score of 9.2.

Information Disclosure Google
NVD
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-9221 HIGH This Week

Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. Reported by CISA ICS-CERT (DHS) and tracked in a CSAF advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Google
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-9220 HIGH This Week

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Google
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-9219 HIGH This Week

Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.

Information Disclosure Google
NVD
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-13283 HIGH PATCH This Week

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service Use After Free RCE +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13282 MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free Google Suse +1
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-13281 HIGH PATCH This Week

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Buffer Overflow Google Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-2299 MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google Mattermost Google Drive Plugin
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-56767 HIGH PATCH This Week

Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. Robot.findAll() with no userId scope), so a low-privileged account on a shared/multi-tenant instance can pivot across the entire tenant base. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix is committed and the trivial nature of an IDOR makes it readily reproducible.

Authentication Bypass Google Maxun
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-53260 CRITICAL Act Now

Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.

Linux Information Disclosure Google Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-53259 HIGH PATCH This Week

Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.

Linux Information Disclosure Google Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53766 MEDIUM PATCH This Month

Symlink-based workspace boundary bypass in chrome-devtools-mcp (versions 0.24.0 through before 1.1.0) allows a local low-privileged actor - including an AI coding agent itself - to read or overwrite files outside the configured workspace root. The McpContext.validatePath() function performs only a lexical prefix check on the resolved path and never canonicalizes symbolic links, so an in-root symlink whose target lies outside the root passes validation and causes downstream file operations to act on the real out-of-workspace target. No public exploit has been identified and the CVE is not listed in CISA KEV; a vendor-released patch is available in version 1.1.0.

Path Traversal Google Chrome Devtools Mcp
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-54069 Go CRITICAL POC PATCH GHSA Act Now

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited.

XSS Google Siyuan
NVD GitHub
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-45677 HIGH PATCH This Week

Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.

Authentication Bypass Microsoft Google
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-13037 HIGH PATCH This Week

Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.

Memory Corruption Google Denial Of Service Use After Free RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13036 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.

Memory Corruption Google Denial Of Service Use After Free RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13035 HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.

Memory Corruption Google Denial Of Service Use After Free RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13034 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. Google has confirmed this as a High severity Chromium issue; no public exploit code or active exploitation has been identified at time of analysis, and CISA SSVC categorizes exploitation status as none.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-13031 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13030 MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome on Android before 149.0.7827.197 exposes process memory contents to remote attackers without requiring authentication. An attacker who induces a user to load a crafted HTML page can read potentially sensitive data from Chrome's GPU process memory, consistent with the High confidentiality impact assigned in the CVSS vector. No public exploit code exists at time of analysis, and CISA's SSVC framework classifies exploitation as none and not automatable with only partial technical impact - indicating this is a patch-cycle priority rather than an emergency response item.

Information Disclosure Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13029 HIGH PATCH This Week

Heap corruption in Google Chrome's Web Authentication (WebAuthn) component affects all desktop builds prior to 149.0.7827.197, where a use-after-free (CWE-416) can be triggered by a malicious browser extension. An attacker who first convinces a victim to install a crafted extension can reach the freed object and potentially achieve code execution. Rated High by Chromium with a CVSS 7.5; there is no public exploit identified at time of analysis and CISA SSVC marks exploitation as none.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-13027 HIGH PATCH This Week

Renderer-side heap corruption in Google Chrome's FileSystem component (versions prior to 149.0.7827.197) lets a remote attacker who lures a victim to a crafted HTML page trigger a use-after-free, potentially leading to arbitrary code execution within the renderer. Rated High severity by Chromium with a CVSS of 8.8; no public exploit identified at time of analysis, and CISA's SSVC framework currently records exploitation status as 'none'. EPSS data was not provided, but the user-interaction requirement (visiting a page) is the only meaningful barrier, making this a routine but real browser-patch priority.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13026 HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. EPSS data was not provided, but the absence of KEV listing and no observed exploitation point to risk driven by Chrome's massive install base rather than confirmed in-the-wild abuse.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13025 HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component (versions prior to 149.0.7827.197) lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page that triggers a race condition. Rated High by Chromium with a scope-changing CVSS 8.3, it requires a prior renderer compromise plus user interaction, and there is no public exploit identified at time of analysis. SSVC lists exploitation as none, indicating no observed in-the-wild use despite the total technical impact.

Information Disclosure Google Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13024 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows an attacker who has already compromised the renderer process to escape Chrome's cross-origin containment boundary via a crafted HTML page, affecting all Chrome versions prior to 149.0.7827.197. The vulnerability stems from insufficient input validation (CWE-20) in the Navigation subsystem, which fails to properly enforce site isolation when navigations are initiated from a compromised renderer. No public exploit code has been identified and CISA SSVC confirms no known active exploitation at time of analysis, though the prerequisite of renderer compromise makes this a meaningful second-stage escalation primitive.

Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13023 MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome prior to 149.0.7827.197 enables a second-stage attacker who has already compromised the renderer process to read sensitive data from GPU process memory via a crafted HTML page. Classified as CWE-457 (Use of Uninitialized Variable), the flaw creates an information disclosure path within Chrome's multi-process architecture. No public exploit exists, CISA has not listed this in KEV, and SSVC rates exploitation as none - but the C:H confidentiality impact rating reflects meaningful data exposure if an attacker successfully chains this with a renderer exploit.

Information Disclosure Google Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13022 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Autofill implementation allows a remote attacker who has already achieved renderer process compromise to exfiltrate sensitive cross-origin data via a specially crafted HTML page. Affected versions include all Chrome releases prior to 149.0.7827.197; the flaw was reported by the Chrome security team and rated High severity by Chromium. No public exploit code has been identified and no active exploitation is confirmed, though the vulnerability chains onto a renderer compromise making real-world exploitation a two-stage attack.

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13021 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials (DBSC) feature affects all Chrome versions prior to 149.0.7827.197, allowing a remote attacker to read limited cross-origin data via a crafted HTML page. The flaw stems from incorrect origin validation (CWE-346) in the DBSC implementation, a relatively new anti-session-hijacking subsystem. SSVC assessment confirms no exploitation at time of analysis, and no public exploit code has been identified; the CVSS score of 4.3 Medium reflects meaningful but bounded confidentiality impact contingent on user interaction.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13038 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13033 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.

Google RCE Buffer Overflow Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13032 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics subsystem, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated Critical by Chromium with a CVSS 9.6 reflecting scope change and total compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though Google has shipped a fix.

Memory Corruption Denial Of Service Use After Free Google Red Hat
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13028 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics component, letting a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox. Rated Critical by Chromium and carrying a CVSS 9.6 with scope change, the flaw threatens full compromise of the browser process boundary on affected Android devices. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none.

Memory Corruption Denial Of Service Use After Free Google
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-53109 Monitor

In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] "mm: free retracted page table by RCU" added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for madvise MADV_COLLAPSE on shmem range. [1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/ pte_free_defer() sets the active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820 [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() & pagetable_free().

Linux IBM Information Disclosure Google
NVD VulDB
EPSS
0.2%
CVE-2026-52975 HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12537 npm CRITICAL PATCH Act Now

Pre-sandbox host-level code execution in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (prior to 0.1.22) allows an unprivileged attacker to run arbitrary commands on CI/CD runner hosts by planting a malicious .gemini/.env file in an untrusted workspace. In headless mode the tool automatically trusted workspace folders and loaded their environment variables before sandboxing, so a workflow that processes attacker-controlled content (for example reviewing a submitted pull request) would execute attacker-supplied commands on the host. No public exploit has been identified at time of analysis, but Google rates this CVSS 4.0 10.0 and a vendor advisory (GHSA-wpqr-6v78-jr5g) with fixed releases is available.

Command Injection RCE Google Gemini Cli Run Gemini Cli Github Action
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-56270 npm HIGH PATCH This Week

Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.

Authentication Bypass Microsoft Google Flowise
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-10753 LOW POC PATCH Monitor

Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Google Site Kit By Google
NVD WPScan VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-12681 Go HIGH This Week

Trusted measurement-list poisoning in Google go-attestation through 0.6.0 lets a remote actor who controls a TPM event log fed to an attestation verifier inject arbitrary SHA256 hashes into the verifier's trusted hash database. Because parseEfiSignatureList() never advances past the EFI_SIGNATURE_LIST SignatureHeaderSize vendor bytes, those attacker-chosen bytes are accepted as legitimate hash entries, allowing a compromised boot state to be attested as healthy. No public exploit identified at time of analysis, but the fix is upstream in v0.6.1 and the root cause is documented in GHSA-9r4w-jg96-92mv.

Google Code Injection Go Attestation
NVD GitHub
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-54318 HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-52814 Go MEDIUM PATCH GHSA This Month

File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.

Google Denial Of Service Python
NVD GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-50179 npm MEDIUM PATCH GHSA This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub
CVSS 3.1
4.2
EPSS
0.3%
CVE-2026-46672 npm MEDIUM PATCH GHSA This Month

CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.

Google RCE Microsoft Node.js
NVD GitHub
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-8934 MEDIUM PATCH This Month

Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.

Authentication Bypass Google Cloud Console Uis
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-12888 LOW PATCH Monitor

HTML injection in Canarytokens' Google Chat webhook notifications allows an attacker who triggers a deployed canarytoken to embed limited HTML content - including crafted hyperlinks - inside the resulting alert message rendered in Google Chat. The vulnerable system is Canarytokens itself (Docker tag sha-4aef1db90 through sha-8ab4dccd), but the integrity impact lands on the subsequent system: the Google Chat interface where defenders receive their alerts. A proof of concept exists per CVSS 4.0 supplemental metric E:P; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

Google Code Injection Docker Canarytokens
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2019-25763 CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress PHP Ultimate Addons For Beaver Builder
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-55446 PyPI HIGH PATCH GHSA This Week

Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.

Python Microsoft Apple Mozilla Denial Of Service +2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-32208 MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.

Microsoft Google XSS Edge Chromium
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-55185 Go MEDIUM PATCH GHSA This Month

Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.

Microsoft Apple CSRF Open Redirect Mozilla +1
NVD GitHub
CVE-2026-21768 MEDIUM This Month

HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. With High confidentiality and integrity impact signals in the CVSS vector, successful exploitation could expose sensitive email data or allow unauthorized modification of content; no public exploit code has been identified at time of analysis.

Google Information Disclosure Verse For Android
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-11989 MEDIUM This Month

Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.

Google WordPress SSRF Bit Integrations Form Integration Webhook Spreadsheets Crm Lms Email Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12047 MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-55669 Go MEDIUM PATCH GHSA This Month

Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and `iss` claim but entirely omits validation of the `aud` claim, violating RFC 7519 audience binding semantics. No public exploit has been identified at time of analysis, and exploitation is tightly constrained to specific enterprise topologies where multiple services share a single trusted IdP.

Authentication Bypass Google
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-10029 MEDIUM This Month

Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.

Authentication Bypass Google WordPress Information Disclosure Event Koi Lite Events Calendar Event Management Rsvp And Tickets
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-54008 PyPI HIGH PATCH GHSA This Week

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.

Python PostgreSQL Microsoft Docker Redis +4
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-48117 MEDIUM This Month

Account pre-hijacking in the centralized droneaware.io cloud platform allowed unauthenticated attackers to register an account using a victim's email address with an attacker-controlled password prior to the victim completing account activation. Once the legitimate owner activated their account - either via an email verification link or by authenticating through Google SSO - the attacker-set password remained fully valid, granting silent and persistent account takeover with no notification to the victim. The vulnerability was remediated server-side by the vendor on 2025-05-20; no public exploit or CISA KEV listing has been identified, and no user action is required.

Authentication Bypass Google Droneaware Node Releases
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-53765 npm MEDIUM PATCH GHSA This Month

Symlink-following in chrome-devtools-mcp (npm, versions 0.20.0 through 1.0.1) allows any local user on the same POSIX host to truncate and overwrite arbitrary files owned by a victim user by pre-placing a symlink at the daemon's deterministic PID file path under /tmp. The attack targets macOS unconditionally and Linux sessions where $XDG_RUNTIME_DIR is unset, because the runtime path falls back to world-accessible /tmp. A detailed proof-of-concept demonstrating SSH key destruction is published in the GitHub Security Advisory; no confirmed active exploitation or CISA KEV listing exists at time of analysis, but the attack requires only a local account and trivial setup.

Google Microsoft Apple Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-32949 HIGH This Week

Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels.3.8. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Authentication Bypass Integrate Google Drive
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12165 HIGH This Week

Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.

Privilege Escalation PHP Google WordPress Contest Gallery Upload Vote Photos Media Sell With Paypal Stripe
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-28575 CRITICAL Act Now

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. No public exploit identified at time of analysis.

Google Java Denial Of Service
NVD
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-12469 MEDIUM PATCH This Month

Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12468 HIGH PATCH This Week

Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12467 HIGH PATCH This Week

Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Denial Of Service Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12466 HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Heap Overflow RCE Buffer Overflow +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-12465 HIGH PATCH This Week

Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS versions prior to 150.0.7871.47 stems from a use-after-free in the Touchbar component, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Reported through Google's internal Chrome security process and rated High by Chromium, it carries a CVSS 9.6 due to scope change and full CIA impact, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.21%. SSVC assesses current exploitation as none, indicating this is a patch-now-but-not-panic item.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop before 150.0.7871.47 arises from insufficient input validation in the Downloads component, letting a crafted Chrome extension break out of its intended sandbox constraints. An attacker who first convinces a victim to install a malicious extension can leverage the flaw to run arbitrary code, which Chromium rates High severity. No public exploit has been identified at time of analysis and EPSS is low (0.15%, 5th percentile), indicating no observed widespread exploitation.

RCE Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's GPU process (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6 due to a scope-changing (S:C) full-impact outcome, this is a use-after-free (CWE-416) memory-corruption bug. No public exploit identified at time of analysis; EPSS is low (0.21%, 11th percentile) and CISA SSVC lists exploitation as none, so it is a serious-but-not-yet-exploited patch priority.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for Android before 150.0.7871.47 stems from a use-after-free in the Fullscreen component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and run arbitrary code in the renderer. Chromium rates the flaw Critical, though CVSS scores it 8.8 because exploitation requires the victim to open the malicious page. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), with CISA SSVC showing no known exploitation.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. High attack complexity (AC:H) means the memory-corruption race is non-trivial to win reliably, tempering the CVSS 8.1 score.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Ozone platform-abstraction layer prior to 150.0.7871.47 lets a remote attacker execute arbitrary code by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated Critical by Chromium and CVSS 8.8, requiring the victim to visit a malicious page (UI:R) but no privileges. No public exploit has been identified at time of analysis and EPSS probability is low (0.26%), but the memory-corruption class and 'total' technical impact make it a high-priority browser patch.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS before 150.0.7871.47 stems from a use-after-free in the browser's Bluetooth component, letting a remote attacker who lures a user into specific UI gestures on a crafted HTML page corrupt memory and break out of the renderer sandbox. Rated Critical by Chromium and CVSS 9.6, though no public exploit has been identified and EPSS is low (0.22%, 13th percentile). A vendor fix is available and CISA SSVC currently marks exploitation as 'none'.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework prior to 150.0.7871.47 lets a remote attacker trigger heap corruption after luring a user to a crafted HTML page and performing specific UI gestures, potentially achieving code execution in the renderer/browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction. No public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile); SSVC lists exploitation as none but technical impact as total.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Google Chrome's Views UI framework, fixed in 150.0.7871.47, lets a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page trigger heap corruption and potentially achieve code execution in the browser process. Chromium rates the flaw Critical, though the CVSS is 8.8 due to required user interaction; there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.22%.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Chromium rates the underlying use-after-free as Critical, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%). A vendor patch is available and the flaw is a classic second-stage chain component rather than a standalone entry point.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome on ChromeOS (versions prior to 150.0.7871.47) stems from a use-after-free in the Chromoting (Chrome Remote Desktop) component, letting a remote attacker corrupt memory and execute arbitrary code through malicious network traffic. Google rates the Chromium severity as Critical, and CVSS scores it 8.1 with a high attack complexity. As of this analysis there is no public exploit identified and it is not listed in CISA KEV; EPSS is low at 0.24% (15th percentile), and SSVC records exploitation status as none.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local arbitrary code execution in Google Chrome for macOS (versions prior to 150.0.7871.47) stems from a use-after-free in the WebUSB implementation, which Chromium rates Critical. A local attacker who can present a malicious USB peripheral to a victim who authorizes it can corrupt renderer memory and run attacker-controlled code within the browser's context. There is no public exploit identified at time of analysis, and EPSS is low (0.16%, 5th percentile), reflecting limited likelihood of widespread opportunistic exploitation.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).

Memory Corruption Information Disclosure Google +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop prior to 150.0.7871.47 stems from a use-after-free in the GPU process, letting a remote attacker who has already compromised the renderer break out of the browser sandbox via a crafted HTML page. Google rates the Chromium severity as Critical, and a fix is available in the Stable channel update. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.22% (13th percentile).

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free flaw in the Extensions component, which Chromium rated Critical severity. An attacker who convinces a victim to install a malicious extension can trigger the dangling-pointer condition through a crafted extension to run arbitrary code in the affected process. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and CISA/SSVC records no observed exploitation.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

### Impact Shovel and Federation plugins perform URI obfuscation in their worker (link) state. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Information Disclosure Red Hat +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP +2
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. Publicly available exploit code exists (GitHub issue #2758), though no active exploitation has been confirmed and the CVSS 4.0 AC:H rating indicates the attack requires precise manipulation of the OAuth callback flow.

Authentication Bypass Google Documenso
NVD VulDB GitHub
EPSS 0% CVSS 0.9
LOW Monitor

Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. A public proof-of-concept is available, exploitation probability is very low given the physical access requirement, and the vendor has acknowledged the issue while noting it falls outside their bug bounty scope.

Authentication Bypass Google
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.

WordPress XSS Google +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.

Google Linux Amd +3
NVD VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authentication bypass in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets an attacker who possesses a user's stored password hash authenticate directly to the backend and gain full account access. Because the backend treats the password hash itself as the secret credential, the hash is password-equivalent and does not need to be cracked back to plaintext. No public exploit identified at time of analysis; the issue was disclosed through CISA/ICS-CERT (advisory VA-26-176-01) and carries a high CVSS 4.0 score of 9.2.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. Reported by CISA ICS-CERT (DHS) and tracked in a CSAF advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Google
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.

Information Disclosure Google
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service +4
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.

Memory Corruption Denial Of Service Use After Free +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Buffer Overflow Google Suse +1
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

Missing authorization in the Mattermost Google Drive plugin's file creation endpoint (all versions before 1.1.0) allows authenticated Mattermost users with a linked Google account to share Drive files into private channels they are not a member of, and to infer the existence and membership of those private channels. The root cause is CWE-862 (Missing Authorization): the endpoint processes the target channel ID supplied by the caller without verifying the caller belongs to that channel. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Mattermost Google +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. Robot.findAll() with no userId scope), so a low-privileged account on a shared/multi-tenant instance can pivot across the entire tenant base. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix is committed and the trivial nature of an IDOR makes it readily reproducible.

Authentication Bypass Google Maxun
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.

Linux Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Symlink-based workspace boundary bypass in chrome-devtools-mcp (versions 0.24.0 through before 1.1.0) allows a local low-privileged actor - including an AI coding agent itself - to read or overwrite files outside the configured workspace root. The McpContext.validatePath() function performs only a lexical prefix check on the resolved path and never canonicalizes symbolic links, so an in-root symlink whose target lies outside the root passes validation and causes downstream file operations to act on the real out-of-workspace target. No public exploit has been identified and the CVE is not listed in CISA KEV; a vendor-released patch is available in version 1.1.0.

Path Traversal Google Chrome Devtools Mcp
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL POC PATCH Act Now

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited.

XSS Google Siyuan
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.

Authentication Bypass Microsoft Google
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. Google has confirmed this as a High severity Chromium issue; no public exploit code or active exploitation has been identified at time of analysis, and CISA SSVC categorizes exploitation status as none.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome on Android before 149.0.7827.197 exposes process memory contents to remote attackers without requiring authentication. An attacker who induces a user to load a crafted HTML page can read potentially sensitive data from Chrome's GPU process memory, consistent with the High confidentiality impact assigned in the CVSS vector. No public exploit code exists at time of analysis, and CISA's SSVC framework classifies exploitation as none and not automatable with only partial technical impact - indicating this is a patch-cycle priority rather than an emergency response item.

Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap corruption in Google Chrome's Web Authentication (WebAuthn) component affects all desktop builds prior to 149.0.7827.197, where a use-after-free (CWE-416) can be triggered by a malicious browser extension. An attacker who first convinces a victim to install a crafted extension can reach the freed object and potentially achieve code execution. Rated High by Chromium with a CVSS 7.5; there is no public exploit identified at time of analysis and CISA SSVC marks exploitation as none.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Renderer-side heap corruption in Google Chrome's FileSystem component (versions prior to 149.0.7827.197) lets a remote attacker who lures a victim to a crafted HTML page trigger a use-after-free, potentially leading to arbitrary code execution within the renderer. Rated High severity by Chromium with a CVSS of 8.8; no public exploit identified at time of analysis, and CISA's SSVC framework currently records exploitation status as 'none'. EPSS data was not provided, but the user-interaction requirement (visiting a page) is the only meaningful barrier, making this a routine but real browser-patch priority.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. EPSS data was not provided, but the absence of KEV listing and no observed exploitation point to risk driven by Chrome's massive install base rather than confirmed in-the-wild abuse.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component (versions prior to 149.0.7827.197) lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page that triggers a race condition. Rated High by Chromium with a scope-changing CVSS 8.3, it requires a prior renderer compromise plus user interaction, and there is no public exploit identified at time of analysis. SSVC lists exploitation as none, indicating no observed in-the-wild use despite the total technical impact.

Information Disclosure Google Red Hat
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows an attacker who has already compromised the renderer process to escape Chrome's cross-origin containment boundary via a crafted HTML page, affecting all Chrome versions prior to 149.0.7827.197. The vulnerability stems from insufficient input validation (CWE-20) in the Navigation subsystem, which fails to properly enforce site isolation when navigations are initiated from a compromised renderer. No public exploit code has been identified and CISA SSVC confirms no known active exploitation at time of analysis, though the prerequisite of renderer compromise makes this a meaningful second-stage escalation primitive.

Authentication Bypass Google Red Hat
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome prior to 149.0.7827.197 enables a second-stage attacker who has already compromised the renderer process to read sensitive data from GPU process memory via a crafted HTML page. Classified as CWE-457 (Use of Uninitialized Variable), the flaw creates an information disclosure path within Chrome's multi-process architecture. No public exploit exists, CISA has not listed this in KEV, and SSVC rates exploitation as none - but the C:H confidentiality impact rating reflects meaningful data exposure if an attacker successfully chains this with a renderer exploit.

Information Disclosure Google Red Hat
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Autofill implementation allows a remote attacker who has already achieved renderer process compromise to exfiltrate sensitive cross-origin data via a specially crafted HTML page. Affected versions include all Chrome releases prior to 149.0.7827.197; the flaw was reported by the Chrome security team and rated High severity by Chromium. No public exploit code has been identified and no active exploitation is confirmed, though the vulnerability chains onto a renderer compromise making real-world exploitation a two-stage attack.

Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials (DBSC) feature affects all Chrome versions prior to 149.0.7827.197, allowing a remote attacker to read limited cross-origin data via a crafted HTML page. The flaw stems from incorrect origin validation (CWE-346) in the DBSC implementation, a relatively new anti-session-hijacking subsystem. SSVC assessment confirms no exploitation at time of analysis, and no public exploit code has been identified; the CVSS score of 4.3 Medium reflects meaningful but bounded confidentiality impact contingent on user interaction.

Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.

Google RCE Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics subsystem, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated Critical by Chromium with a CVSS 9.6 reflecting scope change and total compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though Google has shipped a fix.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics component, letting a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox. Rated Critical by Chromium and carrying a CVSS 9.6 with scope change, the flaw threatens full compromise of the browser process boundary on affected Android devices. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0%
Monitor

In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy powerpc uses pt_frag_refcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16 fragments of 4K size in one 64K page. Patch series [1] "mm: free retracted page table by RCU" added pte_free_defer() to defer the freeing of PTE tables when retract_page_tables() is called for madvise MADV_COLLAPSE on shmem range. [1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/ pte_free_defer() sets the active flag on the corresponding fragment's folio & calls pte_fragment_free(), which reduces the pt_frag_refcount. When pt_frag_refcount reaches 0 (no active fragment using the folio), it checks if the folio active flag is set, if set, it calls call_rcu to free the folio, it the active flag is unset then it calls pte_free_now(). Now, this can lead to following problem in a corner case... [ 265.351553][ T183] BUG: Bad page state in process a.out pfn:20d62 [ 265.353555][ T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62 [ 265.355457][ T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff) [ 265.358719][ T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000 [ 265.360177][ T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000 [ 265.361438][ T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 265.362572][ T183] Modules linked in: [ 265.364622][ T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY [ 265.364785][ T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries [ 265.364908][ T183] Call Trace: [ 265.364955][ T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable) [ 265.365202][ T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8 [ 265.365384][ T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08 [ 265.365554][ T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310 [ 265.365729][ T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218 [ 265.365912][ T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820 [ 265.366080][ T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300 [ 265.366244][ T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508 [ 265.366421][ T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148 [ 265.366602][ T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178 [ 265.366780][ T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0 [ 265.366958][ T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec The bad page state error occurs when such a folio gets freed (with active flag set), from do_exit() path in parallel. ... this can happen when the pte fragment was allocated from this folio, but when all the fragments get freed, the pte_frag_refcount still had some unused fragments. Now, if this process exits, with such folio as it's cached pte_frag in mm->context, then during pte_frag_destroy(), we simply call pagetable_dtor() and pagetable_free(), meaning it doesn't clear the active flag. This, can lead to the above bug. Since we are anyway in do_exit() path, then if the refcount is 0, then I guess it should be ok to simply clear the folio active flag before calling pagetable_dtor() & pagetable_free().

Linux IBM Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Concurrent access to an unprotected pointer in the Linux kernel's 802.3ad (LACP) bonding driver allows a local user to trigger a data race between the AD state-machine worker and the rtnetlink read path that fetches active aggregator info. Discovered by syzbot/KCSAN, the torn read of the `port->aggregator` pointer can disclose kernel memory state or destabilize the bonding driver on systems configured with LACP NIC teaming. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).

Linux Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Pre-sandbox host-level code execution in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (prior to 0.1.22) allows an unprivileged attacker to run arbitrary commands on CI/CD runner hosts by planting a malicious .gemini/.env file in an untrusted workspace. In headless mode the tool automatically trusted workspace folders and loaded their environment variables before sandboxing, so a workflow that processes attacker-controlled content (for example reviewing a submitted pull request) would execute attacker-supplied commands on the host. No public exploit has been identified at time of analysis, but Google rates this CVSS 4.0 10.0 and a vendor advisory (GHSA-wpqr-6v78-jr5g) with fixed releases is available.

Command Injection RCE Google +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.

Authentication Bypass Microsoft Google +1
NVD GitHub VulDB
EPSS 0% CVSS 2.7
LOW POC PATCH Monitor

Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Google +1
NVD WPScan VulDB
EPSS 0% CVSS 8.9
HIGH This Week

Trusted measurement-list poisoning in Google go-attestation through 0.6.0 lets a remote actor who controls a TPM event log fed to an attestation verifier inject arbitrary SHA256 hashes into the verifier's trusted hash database. Because parseEfiSignatureList() never advances past the EFI_SIGNATURE_LIST SignatureHeaderSize vendor bytes, those attacker-chosen bytes are accepted as legitimate hash entries, allowing a compromised boot state to be attested as healthy. No public exploit identified at time of analysis, but the fix is upstream in v0.6.1 and the root cause is documented in GHSA-9r4w-jg96-92mv.

Google Code Injection Go Attestation
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.

Google Authentication Bypass Core
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.

Google Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Google Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.

Google RCE Microsoft +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.

Authentication Bypass Google Cloud Console Uis
NVD
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in Canarytokens' Google Chat webhook notifications allows an attacker who triggers a deployed canarytoken to embed limited HTML content - including crafted hyperlinks - inside the resulting alert message rendered in Google Chat. The vulnerable system is Canarytokens itself (Docker tag sha-4aef1db90 through sha-8ab4dccd), but the integrity impact lands on the subsequent system: the Google Chat interface where defenders receive their alerts. A proof of concept exists per CVSS 4.0 supplemental metric E:P; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

Google Code Injection Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.

Python Microsoft Apple +4
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH NO ACTION HOSTED Monitor

Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.

Microsoft Google XSS +1
NVD VulDB
MEDIUM PATCH This Month

Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.

Microsoft Apple CSRF +3
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. With High confidentiality and integrity impact signals in the CVSS vector, successful exploitation could expose sensitive email data or allow unauthorized modification of content; no public exploit code has been identified at time of analysis.

Google Information Disclosure Verse For Android
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.

Google WordPress SSRF +1
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and `iss` claim but entirely omits validation of the `aud` claim, violating RFC 7519 audience binding semantics. No public exploit has been identified at time of analysis, and exploitation is tightly constrained to specific enterprise topologies where multiple services share a single trusted IdP.

Authentication Bypass Google
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.

Authentication Bypass Google WordPress +2
NVD
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.

Python PostgreSQL Microsoft +6
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

Account pre-hijacking in the centralized droneaware.io cloud platform allowed unauthenticated attackers to register an account using a victim's email address with an attacker-controlled password prior to the victim completing account activation. Once the legitimate owner activated their account - either via an email verification link or by authenticating through Google SSO - the attacker-set password remained fully valid, granting silent and persistent account takeover with no notification to the victim. The vulnerability was remediated server-side by the vendor on 2025-05-20; no public exploit or CISA KEV listing has been identified, and no user action is required.

Authentication Bypass Google Droneaware Node Releases
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Symlink-following in chrome-devtools-mcp (npm, versions 0.20.0 through 1.0.1) allows any local user on the same POSIX host to truncate and overwrite arbitrary files owned by a victim user by pre-placing a symlink at the daemon's deterministic PID file path under /tmp. The attack targets macOS unconditionally and Linux sessions where $XDG_RUNTIME_DIR is unset, because the runtime path falls back to world-accessible /tmp. A detailed proof-of-concept demonstrating SSH key destruction is published in the GitHub Security Advisory; no confirmed active exploitation or CISA KEV listing exists at time of analysis, but the attack requires only a local account and trivial setup.

Google Microsoft Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels.3.8. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Authentication Bypass Integrate Google Drive
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.

Privilege Escalation PHP Google +2
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. No public exploit identified at time of analysis.

Google Java Denial Of Service
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Race Condition Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Heap Overflow +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat +1
NVD VulDB
Prev Page 7 of 156 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy