Monthly
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Universal Cross-Site Scripting (UXSS) in the Views component of Google Chrome on Linux (prior to 149.0.7827.155) enables an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, breaking Chrome's same-origin policy isolation. This is a post-renderer-compromise escalation step in a multi-stage attack chain, Linux-platform specific, requiring prior renderer RCE as a prerequisite. No public exploit code has been identified at time of analysis; EPSS sits at 0.29% (21st percentile), and CISA SSVC assesses exploitation status as none with partial technical impact.
Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)
Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap corruption in Google Chrome's Digital Credentials component (versions prior to 149.0.7827.155) allows remote attackers to trigger a use-after-free condition by enticing a user to visit a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates this issue as Critical severity, and Google has released a patched stable-channel build; no public exploit identified at time of analysis and EPSS sits at 0.31% (23rd percentile), indicating low predicted near-term exploitation pressure despite the high CVSS of 8.8.
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).
Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension.
Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.
In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{scheme}://{host}{path}` without validating the path prefix, and RFC 3986 §3.2.1 re-parsing then interprets the `@` symbol as a userinfo delimiter, shifting hostname authority to the attacker-supplied value. Exploitation is constrained to middleware or 404/exception handlers that act on `request.url` before routing, since the malformed path matches no registered route; no active exploitation is confirmed (not in CISA KEV) and no public exploit code beyond the advisory PoC has been identified.
Unauthenticated cross-site scripting in the WP Google Review Slider WordPress plugin (versions up to and including 18.0) allows a remote, unauthenticated attacker to inject arbitrary JavaScript that executes in the browser of any user who interacts with the affected page. Reported by Patchstack and tracked as EUVD-2026-36930, the vulnerability stems from improper input sanitization in a publicly accessible plugin component. No public exploit code or CISA KEV listing has been identified at the time of analysis, placing this in the medium-priority tier despite the unauthenticated attack vector.
Unbounded input in ua-parser-js v2.0.1–2.0.9's Client Hints API enables remote denial-of-service via catastrophic regex backtracking. Any server-side Node.js application calling `UAParser(headers).withClientHints()` is vulnerable to CPU exhaustion when an attacker supplies an oversized `Sec-CH-UA-Model` header — a single ~32,000-character request consumes over 400ms of CPU with polynomial growth. A functional proof-of-concept exploit is publicly available in the GitHub Security Advisory (GHSA-9h5v-pfqq-x599); no active exploitation in CISA KEV has been confirmed at time of analysis.
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) allows remote attackers to overwrite the project's vite.config.ts and execute arbitrary Node.js code on the host when the browser API server is bound to a network-reachable interface (e.g. --browser.api.host=0.0.0.0). The flaw stems from the cdp() API forwarding raw Chrome DevTools Protocol calls over the browser WebSocket RPC without honoring the allowWrite/allowExec gates that normally restrict Browser Mode. Publicly available exploit code exists in the GHSA-g8mr-85jm-7xhm advisory's step-by-step reproduction, though no CISA KEV listing has been issued.
{ IN_PLACE: true })` - a pattern common in email-preview panes, WYSIWYG editors, and declarative shadow DOM consumers. Three working proof-of-concept exploits are publicly available, confirmed against DOMPurify 3.4.5 and HEAD commit `89da34e` on Chromium 148; no CISA KEV listing exists at time of analysis.
Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.
SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.
{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.
Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.
Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.
Denial of service in Angular's @angular/common package allows attackers to exhaust CPU and memory by passing crafted digitsInfo strings (e.g., '1.200000000-200000000') to formatNumber, DecimalPipe, PercentPipe, or CurrencyPipe. On SSR deployments this crashes the Node.js process with a heap-out-of-memory error, while client-side rendering freezes the browser tab. No public exploit identified at time of analysis, though the patched code and triggering input strings are documented in PR #68840.
Local privilege escalation in Microvirt MEmu Android Emulator 9.2.7.0 allows a low-privileged local user to abuse the MemuService.exe component to gain elevated rights on the host Windows system. Mapped to CWE-269 (Improper Privilege Management), with no public exploit identified at time of analysis and an EPSS score of 0.21% indicating low predicted exploitation likelihood. Researcher PoC repository exists on GitHub (sec-zone/CVE-2026-36213) but active exploitation has not been reported.
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
Improper authorization in the custom URL scheme handler of Genspark AI Workspace App 2.8.4 on Android allows a local low-privileged attacker to invoke restricted application functionality via the ai.mainfunc.genspark component without proper access control. The flaw is classified under CWE-939, affecting inter-app communication on Android where the URL scheme handler fails to verify the caller's authorization. No patch is available as the vendor did not respond to responsible disclosure; no public exploit or CISA KEV confirmation exists at time of analysis.
Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.
Improper access control in File Browser (filebrowser/filebrowser, Go) versions <= 2.63.6 lets a user with share/download permissions create a public share for a path that does not yet exist; because the share record stores only a path string and is never bound to a concrete object, the link silently begins exposing whatever file later appears at that path via GET /api/public/dl/<hash>. The flaw mirrors the Android MediaProvider issue CVE-2026-0035 — the create handler omits an existence check before persisting the share. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but a step-by-step PoC is included in the GitHub Security Advisory.
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default editor role to inject arbitrary JavaScript that executes in every visitor's browser. The seoGoogleTrackingId and seoGoogleTagManager fields are interpolated directly into inline <script> tag bodies via template literals with no sanitization, turning legitimate analytics configuration into a persistent payload delivery channel. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.
Privilege escalation in Zoom Workplace mobile clients (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler for a custom URL scheme, allowing a remote attacker to elevate privileges over network access. The CVSS 8.1 rating reflects high confidentiality and integrity impact with low-complexity exploitation, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Privilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler that processes the app's custom URL scheme, allowing an unauthenticated actor to elevate privileges via network access. Zoom self-reported and patched the flaw, and no public exploit identified at time of analysis; EPSS remains very low (0.04%, 12th percentile) and CISA SSVC marks exploitation as none, indicating no observed activity despite the 9.8 CVSS score.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.
Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.
Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.
Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. A public proof-of-concept is available on GitHub and Google Drive; the vulnerability is not listed in CISA KEV and no vendor patch has been confirmed at time of analysis.
Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Site isolation bypass in Google Chrome for Android (versions prior to 149.0.7827.115) enables an attacker who has already achieved renderer process compromise to cross origin boundaries via a crafted HTML page, potentially exposing password data managed by the browser's Passwords component. The vulnerability is rooted in CWE-346 (Origin Validation Error) - Chrome's Passwords implementation on Android fails to properly enforce origin checks in the context of a compromised renderer. No public exploit identified at time of analysis; the low CVSS base score of 3.1 reflects that exploitation is dependent on a prior renderer compromise, making this a chained-exploitation concern rather than a standalone critical risk.
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page abusing the Views UI framework. Chromium rates the severity High, and no public exploit is identified at time of analysis, but sandbox-escape primitives are routinely chained with renderer RCE bugs into full browser compromise on Windows endpoints.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox through a heap-based out-of-bounds write in the GPU process triggered by a crafted HTML page. Chromium rates the severity High and a vendor patch is available, but no public exploit has been identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack (compromised renderer required) combined with full impact across confidentiality, integrity, and availability.
Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Headless component sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and carries CVSS 9.6 due to scope change and user interaction, though EPSS remains very low (0.03%) and there is no public exploit identified at time of analysis. A vendor patch is available in the stable channel update published June 2026.
Out-of-bounds read in Google Chrome's Video component on ChromeOS exposes process memory to attackers who have already established renderer process compromise. Specifically, an attacker with an existing foothold in the renderer can serve a crafted HTML page to a ChromeOS user and extract potentially sensitive data from memory. No public exploit or CISA KEV listing exists at time of analysis, and EPSS places exploitation probability at 0.03% (11th percentile), indicating low real-world exploitation activity despite the High CVSS confidentiality impact.
Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Same-origin policy bypass in Google Chrome's DevTools component exposes all Chrome versions prior to 149.0.7827.115 to cross-origin integrity violations when a victim visits a crafted HTML page. The root cause (CWE-346) is insufficient origin validation within DevTools policy enforcement, allowing a remote unauthenticated attacker to circumvent the browser's fundamental isolation boundary and tamper with cross-origin content. No public exploit identified at time of analysis; EPSS of 0.02% (4th percentile) and absence of a CISA KEV listing indicate currently low real-world exploitation pressure despite the High Chromium severity rating.
Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a race condition in Safe Browsing handling of a malicious file. Chromium rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.
Use after free in Autofill in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a heap buffer overflow in the Codecs component triggered by a crafted HTML page. Google rates the underlying issue as High severity and a vendor patch is available, but no public exploit is identified at time of analysis and the bug is not listed in CISA KEV. Exploitation is conditional on chaining with a prior renderer compromise, which raises real-world complexity.
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.
Site isolation bypass in Google Chrome's Extensions implementation (prior to 149.0.7827.115) enables an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. This is a chained exploit primitive - it cannot be weaponized standalone and requires a preceding renderer compromise, limiting its practical severity despite the network delivery vector. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis. The low CVSS score of 3.1 reflects the high attack complexity and constrained confidentiality impact.
Sandbox escape in Google Chrome's DevTools component before version 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, this is a second-stage vulnerability typically chained with a renderer RCE bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome prior to 149.0.7827.115 allowed an attacker in a privileged network position to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a heap buffer overflow in the GPU process. Chromium rates this severity Critical, and while no public exploit identified at time of analysis, the bug is part of a classic two-stage exploitation chain typically used in browser zero-day exploits. Patch is available from vendor in Chrome 149.0.7827.115 and later.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that exercises the Accessibility subsystem. Chromium rates the issue Critical severity; no public exploit identified at time of analysis, and the flaw is not on the CISA KEV list. The bug is reachable only after a prior renderer compromise and requires user interaction, which limits drive-by exploitation but makes it a key second-stage primitive in a full browser chain.
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Information disclosure in Element Call 0.5.17 through 0.19.3 causes the application to send full visited URLs (including URL fragments) to a configured PostHog analytics server via the `$initial_person_info`, `$session_entry_url`, and `$current_url` fields. On standalone SPA deployments such as call.element.io that encode call encryption passwords in the URL fragment, this can leak those passwords to anyone with access to the PostHog data, enabling decryption of the associated E2EE media streams. No public exploit identified at time of analysis; the issue was disclosed and patched by the vendor in 0.19.4.
Privilege escalation in Google Cloud Dialogflow CX allows authenticated users holding specific IAM roles to abuse the playbook import functionality and potentially take over the entire GCP project. Google has confirmed the issue was patched server-side on 15 March 2026 with no customer action required, and no public exploit has been identified at time of analysis.
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Universal Cross-Site Scripting (UXSS) in the Views component of Google Chrome on Linux (prior to 149.0.7827.155) enables an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, breaking Chrome's same-origin policy isolation. This is a post-renderer-compromise escalation step in a multi-stage attack chain, Linux-platform specific, requiring prior renderer RCE as a prerequisite. No public exploit code has been identified at time of analysis; EPSS sits at 0.29% (21st percentile), and CISA SSVC assesses exploitation status as none with partial technical impact.
Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)
Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap corruption in Google Chrome's Digital Credentials component (versions prior to 149.0.7827.155) allows remote attackers to trigger a use-after-free condition by enticing a user to visit a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates this issue as Critical severity, and Google has released a patched stable-channel build; no public exploit identified at time of analysis and EPSS sits at 0.31% (23rd percentile), indicating low predicted near-term exploitation pressure despite the high CVSS of 8.8.
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).
Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension.
Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.
In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{scheme}://{host}{path}` without validating the path prefix, and RFC 3986 §3.2.1 re-parsing then interprets the `@` symbol as a userinfo delimiter, shifting hostname authority to the attacker-supplied value. Exploitation is constrained to middleware or 404/exception handlers that act on `request.url` before routing, since the malformed path matches no registered route; no active exploitation is confirmed (not in CISA KEV) and no public exploit code beyond the advisory PoC has been identified.
Unauthenticated cross-site scripting in the WP Google Review Slider WordPress plugin (versions up to and including 18.0) allows a remote, unauthenticated attacker to inject arbitrary JavaScript that executes in the browser of any user who interacts with the affected page. Reported by Patchstack and tracked as EUVD-2026-36930, the vulnerability stems from improper input sanitization in a publicly accessible plugin component. No public exploit code or CISA KEV listing has been identified at the time of analysis, placing this in the medium-priority tier despite the unauthenticated attack vector.
Unbounded input in ua-parser-js v2.0.1–2.0.9's Client Hints API enables remote denial-of-service via catastrophic regex backtracking. Any server-side Node.js application calling `UAParser(headers).withClientHints()` is vulnerable to CPU exhaustion when an attacker supplies an oversized `Sec-CH-UA-Model` header — a single ~32,000-character request consumes over 400ms of CPU with polynomial growth. A functional proof-of-concept exploit is publicly available in the GitHub Security Advisory (GHSA-9h5v-pfqq-x599); no active exploitation in CISA KEV has been confirmed at time of analysis.
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) allows remote attackers to overwrite the project's vite.config.ts and execute arbitrary Node.js code on the host when the browser API server is bound to a network-reachable interface (e.g. --browser.api.host=0.0.0.0). The flaw stems from the cdp() API forwarding raw Chrome DevTools Protocol calls over the browser WebSocket RPC without honoring the allowWrite/allowExec gates that normally restrict Browser Mode. Publicly available exploit code exists in the GHSA-g8mr-85jm-7xhm advisory's step-by-step reproduction, though no CISA KEV listing has been issued.
{ IN_PLACE: true })` - a pattern common in email-preview panes, WYSIWYG editors, and declarative shadow DOM consumers. Three working proof-of-concept exploits are publicly available, confirmed against DOMPurify 3.4.5 and HEAD commit `89da34e` on Chromium 148; no CISA KEV listing exists at time of analysis.
Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.
SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.
{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.
Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.
Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.
Denial of service in Angular's @angular/common package allows attackers to exhaust CPU and memory by passing crafted digitsInfo strings (e.g., '1.200000000-200000000') to formatNumber, DecimalPipe, PercentPipe, or CurrencyPipe. On SSR deployments this crashes the Node.js process with a heap-out-of-memory error, while client-side rendering freezes the browser tab. No public exploit identified at time of analysis, though the patched code and triggering input strings are documented in PR #68840.
Local privilege escalation in Microvirt MEmu Android Emulator 9.2.7.0 allows a low-privileged local user to abuse the MemuService.exe component to gain elevated rights on the host Windows system. Mapped to CWE-269 (Improper Privilege Management), with no public exploit identified at time of analysis and an EPSS score of 0.21% indicating low predicted exploitation likelihood. Researcher PoC repository exists on GitHub (sec-zone/CVE-2026-36213) but active exploitation has not been reported.
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
Improper authorization in the custom URL scheme handler of Genspark AI Workspace App 2.8.4 on Android allows a local low-privileged attacker to invoke restricted application functionality via the ai.mainfunc.genspark component without proper access control. The flaw is classified under CWE-939, affecting inter-app communication on Android where the URL scheme handler fails to verify the caller's authorization. No patch is available as the vendor did not respond to responsible disclosure; no public exploit or CISA KEV confirmation exists at time of analysis.
Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.
Improper access control in File Browser (filebrowser/filebrowser, Go) versions <= 2.63.6 lets a user with share/download permissions create a public share for a path that does not yet exist; because the share record stores only a path string and is never bound to a concrete object, the link silently begins exposing whatever file later appears at that path via GET /api/public/dl/<hash>. The flaw mirrors the Android MediaProvider issue CVE-2026-0035 — the create handler omits an existence check before persisting the share. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but a step-by-step PoC is included in the GitHub Security Advisory.
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default editor role to inject arbitrary JavaScript that executes in every visitor's browser. The seoGoogleTrackingId and seoGoogleTagManager fields are interpolated directly into inline <script> tag bodies via template literals with no sanitization, turning legitimate analytics configuration into a persistent payload delivery channel. No public exploit identified at time of analysis, and no vendor-released patch identified at time of analysis.
Privilege escalation in Zoom Workplace mobile clients (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler for a custom URL scheme, allowing a remote attacker to elevate privileges over network access. The CVSS 8.1 rating reflects high confidentiality and integrity impact with low-complexity exploitation, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Privilege escalation in the Zoom Workplace mobile app (Android before 7.0.4, iOS before 7.0.3) stems from improper authorization in the handler that processes the app's custom URL scheme, allowing an unauthenticated actor to elevate privileges via network access. Zoom self-reported and patched the flaw, and no public exploit identified at time of analysis; EPSS remains very low (0.04%, 12th percentile) and CISA SSVC marks exploitation as none, indicating no observed activity despite the 9.8 CVSS score.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.
Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.
Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.
Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. A public proof-of-concept is available on GitHub and Google Drive; the vulnerability is not listed in CISA KEV and no vendor patch has been confirmed at time of analysis.
Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Site isolation bypass in Google Chrome for Android (versions prior to 149.0.7827.115) enables an attacker who has already achieved renderer process compromise to cross origin boundaries via a crafted HTML page, potentially exposing password data managed by the browser's Passwords component. The vulnerability is rooted in CWE-346 (Origin Validation Error) - Chrome's Passwords implementation on Android fails to properly enforce origin checks in the context of a compromised renderer. No public exploit identified at time of analysis; the low CVSS base score of 3.1 reflects that exploitation is dependent on a prior renderer compromise, making this a chained-exploitation concern rather than a standalone critical risk.
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page abusing the Views UI framework. Chromium rates the severity High, and no public exploit is identified at time of analysis, but sandbox-escape primitives are routinely chained with renderer RCE bugs into full browser compromise on Windows endpoints.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox through a heap-based out-of-bounds write in the GPU process triggered by a crafted HTML page. Chromium rates the severity High and a vendor patch is available, but no public exploit has been identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack (compromised renderer required) combined with full impact across confidentiality, integrity, and availability.
Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Headless component sandbox via a crafted HTML page. The flaw is rated High severity by Chromium and carries CVSS 9.6 due to scope change and user interaction, though EPSS remains very low (0.03%) and there is no public exploit identified at time of analysis. A vendor patch is available in the stable channel update published June 2026.
Out-of-bounds read in Google Chrome's Video component on ChromeOS exposes process memory to attackers who have already established renderer process compromise. Specifically, an attacker with an existing foothold in the renderer can serve a crafted HTML page to a ChromeOS user and extract potentially sensitive data from memory. No public exploit or CISA KEV listing exists at time of analysis, and EPSS places exploitation probability at 0.03% (11th percentile), indicating low real-world exploitation activity despite the High CVSS confidentiality impact.
Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Same-origin policy bypass in Google Chrome's DevTools component exposes all Chrome versions prior to 149.0.7827.115 to cross-origin integrity violations when a victim visits a crafted HTML page. The root cause (CWE-346) is insufficient origin validation within DevTools policy enforcement, allowing a remote unauthenticated attacker to circumvent the browser's fundamental isolation boundary and tamper with cross-origin content. No public exploit identified at time of analysis; EPSS of 0.02% (4th percentile) and absence of a CISA KEV listing indicate currently low real-world exploitation pressure despite the High Chromium severity rating.
Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a race condition in Safe Browsing handling of a malicious file. Chromium rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.
Use after free in Autofill in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a heap buffer overflow in the Codecs component triggered by a crafted HTML page. Google rates the underlying issue as High severity and a vendor patch is available, but no public exploit is identified at time of analysis and the bug is not listed in CISA KEV. Exploitation is conditional on chaining with a prior renderer compromise, which raises real-world complexity.
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.
Site isolation bypass in Google Chrome's Extensions implementation (prior to 149.0.7827.115) enables an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. This is a chained exploit primitive - it cannot be weaponized standalone and requires a preceding renderer compromise, limiting its practical severity despite the network delivery vector. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis. The low CVSS score of 3.1 reflects the high attack complexity and constrained confidentiality impact.
Sandbox escape in Google Chrome's DevTools component before version 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, this is a second-stage vulnerability typically chained with a renderer RCE bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome prior to 149.0.7827.115 allowed an attacker in a privileged network position to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a heap buffer overflow in the GPU process. Chromium rates this severity Critical, and while no public exploit identified at time of analysis, the bug is part of a classic two-stage exploitation chain typically used in browser zero-day exploits. Patch is available from vendor in Chrome 149.0.7827.115 and later.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that exercises the Accessibility subsystem. Chromium rates the issue Critical severity; no public exploit identified at time of analysis, and the flaw is not on the CISA KEV list. The bug is reachable only after a prior renderer compromise and requires user interaction, which limits drive-by exploitation but makes it a key second-stage primitive in a full browser chain.
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Information disclosure in Element Call 0.5.17 through 0.19.3 causes the application to send full visited URLs (including URL fragments) to a configured PostHog analytics server via the `$initial_person_info`, `$session_entry_url`, and `$current_url` fields. On standalone SPA deployments such as call.element.io that encode call encryption passwords in the URL fragment, this can leak those passwords to anyone with access to the PostHog data, enabling decryption of the associated E2EE media streams. No public exploit identified at time of analysis; the issue was disclosed and patched by the vendor in 0.19.4.
Privilege escalation in Google Cloud Dialogflow CX allows authenticated users holding specific IAM roles to abuse the playbook import functionality and potentially take over the entire GCP project. Google has confirmed the issue was patched server-side on 15 March 2026 with no customer action required, and no public exploit has been identified at time of analysis.
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.