Red Hat
Monthly
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
ECDSA signature verification in wolfSSL 3.12.0 through 5.9.0 accepts cryptographically weak digest sizes below protocol-mandated minimums, enabling authentication bypass when attackers possess the public CA key. Authenticated network attackers can exploit this to compromise confidentiality and integrity of certificate-based sessions. Vulnerability arises specifically when EdDSA or ML-DSA algorithms are concurrently enabled alongside ECDSA/ECC verification. No public exploit identified at time of analysis.
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. This vulnerability stems from an incomplete patch - the fix for CVE-2025-66168 was applied only to 5.19.x branches but omitted from all 6.x releases until 6.2.4. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Media stream metadata corruption in Google Chrome for Android prior to 147.0.7727.55 enables remote attackers who have already compromised the renderer process to corrupt media stream metadata via a race condition (CWE-362) in the Media component. Despite a critical CVSS 9.8 score with network-accessible attack vector, real-world exploitation requires pre-compromise of the renderer, and EPSS probability is very low (0.03%, 9th percentile). Vendor patch released in Chrome 147.0.7727.55. No public exploit or active exploitation (KEV) identified at time of analysis. Chromium rates this Low severity, contrasting sharply with the theoretical CVSS rating.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the Downloads feature that allows remote attackers to circumvent multi-download protections through a crafted HTML page. The vulnerability requires user interaction (clicking or accepting a download), affects integrity only (no code execution or availability impact), and carries a low Chromium severity rating. EPSS exploitation probability is minimal at 0.02% (3rd percentile), indicating this is primarily a user-experience or policy-enforcement issue rather than a critical security risk.
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
UI spoofing in Google Chrome on iOS prior to version 147.0.7727.55 allows remote attackers to deceive users through malicious HTML pages that manipulate the Omnibox security indicator, enabling phishing or credential theft without code execution. The vulnerability requires user interaction and has low confidentiality impact, reflected in both the CVSS score of 4.3 and minimal EPSS score of 0.03%, indicating limited real-world exploitation likelihood despite public discoverability.
UI spoofing in Google Chrome's Downloads interface prior to version 147.0.7727.55 allows remote attackers to deceive users into performing unintended actions via crafted HTML pages exploiting incorrect security UI rendering. The vulnerability requires user interaction with specific UI gestures on a malicious webpage, resulting in limited integrity impact through visual deception rather than code execution or data exfiltration. Although marked as low severity by Chromium and carrying minimal exploitation probability (EPSS 0.03%), the attack surface is broad given Chrome's prevalence as a target for social engineering.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.
Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.
UI spoofing in Google Chrome prior to version 147.0.7727.55 allows remote attackers with a compromised renderer process to deceive users through crafted HTML pages. The vulnerability requires prior renderer compromise, limiting real-world exploitation to scenarios where an attacker has already achieved code execution within the browser's sandboxed rendering context. No active exploitation confirmed; EPSS score of 0.03% indicates minimal exploitation probability.
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.
Google Chrome on Windows prior to version 147.0.7727.55 fails to properly validate user input in the Downloads functionality, allowing remote attackers to bypass download restrictions through a crafted HTML page. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but has low real-world impact-it enables integrity bypass only, not code execution or confidentiality breaches. No public exploit code or active exploitation has been identified; the low EPSS score (0.02%) reflects minimal practical risk despite the network attack vector.
Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.
Memory disclosure in Google Chrome on Windows prior to version 147.0.7727.55 allows remote attackers to extract sensitive information from process memory by delivering a crafted HTML page through WebML parsing. The vulnerability stems from insufficient input validation in the WebML component and requires user interaction (visiting a malicious page), making it a moderate-risk information disclosure affecting a ubiquitous browser platform.
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to escape renderer sandbox via malicious HTML page. A remote attacker who has already compromised the renderer process can achieve arbitrary code execution within the sandbox through insufficient input validation in Chrome's Media component. Requires user interaction (visiting crafted page). EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability; no confirmed active exploitation (not in CISA KEV). Vendor patch released in Chrome 147.0.7727.55.
UI spoofing in Google Chrome fullscreen mode prior to version 147.0.7727.55 allows remote attackers to deceive users with crafted HTML pages displaying fake security UI elements, potentially leading to credential theft or malware distribution through trusted-looking interface impersonation. The vulnerability requires user interaction (clicking/navigating to the malicious page) but poses moderate integrity risk due to the deceptive nature of fullscreen UI manipulation. No active exploitation has been confirmed, though the attack vector is straightforward for mass phishing campaigns.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the LocalNetworkAccess feature that allows remote attackers to circumvent navigation restrictions by delivering a crafted HTML page. An unauthenticated attacker requires only user interaction (clicking or viewing the malicious page) to trigger the bypass, resulting in integrity compromise of network access policies. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been reported.
Omnibox spoofing in Google Chrome prior to 147.0.7727.55 allows remote attackers with a compromised renderer process to spoof the URL bar contents via crafted HTML, deceiving users about the actual page origin. The vulnerability requires renderer process compromise (post-sandbox-escape condition) and user interaction, limiting real-world exploitation to multi-stage attacks. Patch available in Chrome 147.0.7727.55 and later; EPSS score of 0.03% reflects low autonomous exploitation likelihood despite medium CVSS rating.
UI spoofing via incorrect security UI rendering in Google Chrome's Blink engine allows remote attackers to deceive users into trusting malicious content through crafted HTML pages, affecting Chrome versions prior to 147.0.7727.55. The attack requires user interaction (clicking or viewing the malicious page) but no authentication. While assigned Medium severity by Google and carrying low EPSS exploitation probability (0.03%, 10th percentile), the integrity impact centers on user trust and phishing enablement rather than code execution.
Remote code execution within Chrome's sandbox affects all versions prior to 147.0.7727.55 through a use-after-free vulnerability in the browser's navigation component. Remote attackers can execute arbitrary code by delivering a specially crafted HTML page that triggers memory corruption when a user visits the malicious site. EPSS probability of 0.04% indicates low observed exploitation activity, and no CISA KEV listing confirms this is not confirmed actively exploited at time of analysis. Google has released patches in Chrome 147.0.7727.55.
Side-channel information leakage in Google Chrome's Navigation feature prior to version 147.0.7727.55 allows unauthenticated remote attackers to extract cross-origin data by serving a crafted HTML page. The vulnerability requires user interaction (clicking or navigating to a malicious page) but successfully bypasses same-origin policy protections, exposing sensitive information from different origins. With an EPSS score of 0.03% (10th percentile) indicating very low real-world exploitation probability, this represents a medium-severity information disclosure risk appropriate for routine patching rather than emergency mitigation.
UI spoofing via policy bypass in Blink rendering engine in Google Chrome prior to version 147.0.7727.55 allows remote attackers to deceive users through crafted HTML pages. The vulnerability requires user interaction (clicking or viewing) but needs no authentication, affecting all Chrome users on unpatched versions. Chromium security team rated this as Medium severity; EPSS score of 0.02% indicates low real-world exploitation probability despite public disclosure.
Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox by delivering a malicious HTML page that triggers a use-after-free vulnerability. While rated High severity (CVSS 8.8) due to complete confidentiality/integrity/availability impact, EPSS scoring places exploitation probability at only 4% (11th percentile), indicating low observed targeting in the wild. No confirmed active exploitation (not in CISA KEV) and no public proof-of-concept identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser sandbox via a maliciously crafted HTML page exploiting a type confusion vulnerability in the V8 JavaScript engine. With CVSS 8.8 (High), network-based attack vector requiring only user interaction, and available vendor patch, this represents a significant but contained threat. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability, and no active exploitation or public POC is identified at time of analysis. The sandbox containment limits initial impact severity compared to full system compromise.
Remote code execution in Google Chrome's Skia graphics library (versions prior to 147.0.7727.55) allows remote attackers to execute arbitrary code within the browser's sandbox via specially crafted HTML pages exploiting an integer overflow vulnerability. Google patched this high-severity flaw in Chrome 147.0.7727.55 released April 2026. No active exploitation confirmed (not on CISA KEV), with low EPSS score (0.04%, 11th percentile) indicating minimal observed exploitation activity. Exploitation requires user interaction (visiting malicious webpage) but no authentication, making it viable for drive-by attacks against unpatched Chrome installations.
Heap buffer overflow in WebML (a web markup language component) in Google Chrome prior to version 147.0.7727.55 allows remote attackers to obtain potentially sensitive information from process memory by serving a crafted HTML page. The vulnerability requires no user authentication and can be triggered through normal web browsing, though exploitation has a low probability (EPSS 0.03%) and no public exploit code has been identified.
Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.
Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.
Heap buffer overflow in Google Chrome's WebAudio component prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory by serving a crafted HTML page. The vulnerability has a CVSS score of 6.5 and EPSS probability of 0.03% (8th percentile), indicating low real-world exploitation likelihood despite the network attack vector and lack of user interaction requirements. Vendor-released patch is available.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.
Integer overflow in Google Chrome's WebML component (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption via malicious HTML pages, requiring only user interaction to visit a crafted website. The vendor-assigned severity is Critical, though EPSS indicates only 0.03% probability of exploitation in the wild (9th percentile), and no public exploit identified at time of analysis. Patch available in Chrome 147.0.7727.55 and later.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code by exploiting a heap buffer overflow in the WebML component through specially crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but presents critical risk with high impact to confidentiality, integrity, and availability. EPSS score of 0.03% (9th percentile) indicates low probability of imminent exploitation in the wild, with no public exploit identified at time of analysis and no CISA KEV listing confirming active exploitation.
Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.
Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization administrators to force the Quay server to make unvalidated network requests to internal services, cloud infrastructure endpoints, or otherwise restricted resources by supplying a crafted upstream registry hostname. With CVSS 5.2 and high confidentiality impact, this vulnerability requires administrator privileges and user interaction but poses significant risk to internal network exposure; no public exploit code or active exploitation (KEV) confirmed at time of analysis.
Authenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deserialization (CWE-502) of resumable container image layer upload state stored in the database. An attacker with the privileges needed to initiate image uploads can tamper with intermediate upload data to execute arbitrary code on the Quay server. No public exploit identified at time of analysis; EPSS is low (0.06%) and CISA SSVC marks exploitation status as none, though technical impact is rated total.
Red Hat Quay's container image upload mechanism allows authenticated users with push privileges to interfere with concurrent uploads by other users across the entire registry, enabling unauthorized read, modification, or cancellation of in-progress uploads in repositories they cannot access. This cross-repository attack vector affects Red Hat Quay 3.x and Mirror Registry deployments. EPSS score of 0.03% (8th percentile) indicates low predicted exploitation probability in the wild, and CISA SSVC framework rates this as non-automatable with no known exploitation, suggesting targeted risk rather than widespread threat despite the 7.4 CVSS score.
Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.
Algorithmic complexity denial of service in Go's crypto/x509 library allows remote attackers to cause resource exhaustion via certificate chains containing excessive policy mappings. Affects Go versions <1.25.9 and 1.26.0-1.26.1. Attack requires no authentication (CVSS AV:N/PR:N) but targets only otherwise-trusted certificate chains from roots in the system or configured trust store. EPSS score 0.01% indicates minimal observed exploitation probability. No active exploitation confirmed (not in CI
Denial of service via unbounded memory allocation in Go's archive/tar package when parsing maliciously-crafted tar archives containing many sparse regions in old GNU sparse map format. Affects Go standard library versions prior to 1.25.9 and 1.26.2. Local attackers with user interaction can exhaust system memory, crashing applications that process untrusted tar files. No public exploit code identified; EPSS score of 0.01% indicates very low exploitation probability despite moderate CVSS severity.
Integer overflow in Go compiler's loop optimization (cmd/compile 1.25.x < 1.25.9, 1.26.x < 1.26.2) allows remote code execution through crafted source code that triggers invalid array indexing at runtime. Attack vector is network-accessible (AV:N) with no authentication required (PR:N), enabling attackers to compile malicious Go programs that exploit compiler-generated memory corruption vulnerabilities. EPSS score of 0.01% (1st percentile) indicates low observed exploitation probability despite
Memory corruption in Go compiler cmd/compile versions before 1.25.9 and 1.26.0-1.26.1 allows local authenticated attackers to achieve integrity compromise and denial of service. A flaw in pointer unwrapping logic during memory move operations causes the compiler to incorrectly assess overlapping memory regions, potentially corrupting compiled binaries. EPSS score of 0.01% indicates minimal real-world exploitation probability, and no public exploit or active exploitation (non-KEV) has been identified at time of analysis.
Cross-site scripting (XSS) vulnerability in Go's html/template package allows incorrect escaping of template actions within JavaScript template literals, enabling attackers to inject malicious scripts when template branches and brace-depth tracking are mishandled. Affects html/template versions prior to 1.26.2 and 1.25.9. The vulnerability requires user interaction (UI:R) and is not actively exploited based on available intelligence, though the low EPSS score (0.01%) indicates minimal real-world exploitation likelihood despite the network-accessible attack vector.
Time-of-check-time-of-use (TOCTOU) race condition in Go's internal/syscall/unix Root.Chmod allows local privileged attackers to modify file permissions on targets outside the intended root filesystem boundary. By replacing the target with a symlink between the permission check and the actual chmod operation, attackers can exploit the Linux fchmodat syscall's behavior of silently ignoring AT_SYMLINK_NOFOLLOW to modify arbitrary files outside the restricted root. Exploitation requires high privileges and precise timing; EPSS score of 0.01% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.
Aardvark-dns enters an unrecoverable infinite error loop consuming 100% CPU when processing a truncated TCP DNS query followed by a connection reset, causing denial of service to DNS resolution services. The vulnerability affects the aardvark-dns container DNS service and requires local network access to trigger. No public exploit code or active exploitation has been identified, but the trivial attack vector (malformed DNS packets) and high CPU impact make this a practical denial-of-service risk for containerized deployments.
Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.
Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.
Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.
Denial of service in OpenPrinting CUPS 2.4.16 and prior allows unprivileged local users to crash the cupsd root process via integer underflow in _ppdCreateFromIPP() by supplying a negative job-password-supported IPP attribute, which wraps to a large size_t value and triggers a stack buffer overflow in memset(). When combined with systemd's automatic restart mechanism, an attacker can sustain repeated crashes without requiring elevated privileges or user interaction.
Authenticated denial of service via CQL in Apache Cassandra 4.0 through 5.0 allows authenticated users to elevate query latencies by repeatedly changing passwords, disrupting service availability for legitimate users. The vulnerability affects Cassandra 4.0.0-4.0.19, 4.1.0-4.1.10, and 5.0.0-5.0.6. Vendor-released patches are available (4.0.20, 4.1.11, 5.0.7). With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite the moderate CVSS score of 6.5, reflecting the requirement for prior authentication and the low likelihood of widespread abuse.
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.
Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.
Unbounded memory consumption in Django ASGI applications allows unauthenticated remote attackers to bypass DATA_UPLOAD_MAX_MEMORY_SIZE protections via malformed Content-Length headers, leading to denial of service. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. CVSS 7.5 (High) with network-accessible, low-complexity attack vector requiring no privileges. EPSS data not available; no public exploit identified at time of analysis. Vendor patches released April 2026 across all affected major branches.
Django's MultiPartParser allows authenticated remote attackers to cause denial of service through performance degradation by submitting multipart uploads with Content-Transfer-Encoding: base64 and excessive whitespace. Affected versions include Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30, with unsupported series 5.0.x, 4.1.x, and 3.2.x potentially also vulnerable. The vulnerability has a CVSS 6.5 score reflecting high availability impact but requires authentication (PR:L) and is not actively exploited or publicly weaponized at analysis time.
Unauthenticated attackers can bypass add permissions in Django GenericInlineModelAdmin (versions 6.0 <6.0.4, 5.2 <5.2.13, 4.2 <4.2.30) by submitting forged POST data to inline model forms. Permission checks fail to validate creation rights on inline model instances, enabling unauthorized database record insertion with network access alone. CVSS 9.8 critical severity reflects complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).
Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.
Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.
MLflow through version 3.10.1 allows authenticated users to bypass authorization controls and download model artifacts from experiments they lack permission to access via an unprotected AJAX endpoint. The vulnerability requires valid MLflow authentication but no special privileges, enabling lateral access to restricted experiment data. Patch availability confirmed via upstream pull request; CISA SSVC assessment indicates partial technical impact with automatable exploitation path but no confirmed active exploitation.
Stored cross-site scripting (XSS) in MLflow through version 3.10.1 allows authenticated attackers to inject malicious payloads via YAML-based MLmodel artifacts that execute when other users view the artifact in the web interface, enabling session hijacking or unauthorized actions on behalf of victims. CVSS 5.1 reflects low severity due to authentication requirement and user interaction; SSVC framework rates exploitation as none, automatable as no, and technical impact as partial. Upstream fix is available in a GitHub PR, though no formally released patched version has been independently confirmed from provided data.
NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.
Signed integer overflow in OpenEXR's undo_pxr24_impl() function allows unauthenticated remote attackers to bypass buffer bounds checks and trigger heap buffer overflow during EXR file decoding, potentially causing denial of service or limited data corruption when processing maliciously crafted EXR files. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.8. No public exploit code or active exploitation has been confirmed at the time of analysis.
Integer overflow in OpenEXR 3.4.0-3.4.8 allows remote attackers to crash applications processing malicious EXR files via a negative dataWindow.min.x value in the file header, triggering a signed integer overflow in generic_unpack() that causes process termination with SIGILL. The vulnerability requires user interaction (opening a crafted file) and affects availability only, with no confirmed active exploitation at time of analysis.
Server-Side Request Forgery (SSRF) in distribution container toolkit versions before 3.1.0 enables credential theft via malicious upstream registry responses. When operating in pull-through cache mode, distribution parses WWW-Authenticate bearer challenges from upstream registries without validating the realm URL against the configured upstream host. Attackers controlling the upstream registry or positioned for man-in-the-middle attacks can specify arbitrary realm URLs, causing distribution to transmit configured upstream credentials via basic authentication to attacker-controlled endpoints (CVSS 7.5, High confidentiality impact). EPSS data and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only network access with low complexity (AV:N/AC:L) and no authentication (PR:N).
Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. CVSS 7.5 (High) reflects confidentiality impact; no public exploit identified at time of analysis. Exploitation requires network access to log files or log aggregation systems, potentially enabling privilege escalation within Kubernetes clusters.
Information disclosure in Apache Tomcat's JsonAccessLogValve allows unauthenticated remote attackers to retrieve sensitive data due to improper output encoding. Affects Tomcat versions 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. The vulnerability enables high-impact confidentiality breaches through network-accessible attack vectors with low complexity and no user interaction required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
ECDSA signature verification in wolfSSL 3.12.0 through 5.9.0 accepts cryptographically weak digest sizes below protocol-mandated minimums, enabling authentication bypass when attackers possess the public CA key. Authenticated network attackers can exploit this to compromise confidentiality and integrity of certificate-based sessions. Vulnerability arises specifically when EdDSA or ML-DSA algorithms are concurrently enabled alongside ECDSA/ECC verification. No public exploit identified at time of analysis.
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Authentication bypass in Apache Tomcat 9.x through 11.x and Tomcat Native 1.1.23-2.0.13 allows unauthenticated remote attackers to bypass CLIENT_CERT authentication when soft-fail is disabled, achieving unauthorized access to confidentiality- and integrity-sensitive resources. Exploitation requires no user interaction or privileges (CVSS:3.1 PR:N/UI:N). The flaw affects CLIENT_CERT authentication logic, permitting access under conditions where authentication should fail. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.04%).
Cipher preference order enforcement failure in Apache Tomcat 9.0.114-9.0.115, 10.1.51-10.1.52, and 11.0.16-11.0.18 allows unauthenticated remote attackers to force selection of weaker cryptographic ciphers during TLS negotiation, enabling potential decryption of confidential data transmitted over HTTPS connections. The vulnerability stems from improper preservation of administrator-configured cipher suite priority, potentially exposing sensitive session data, credentials, or application content. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects network-accessible confidentiality impact requiring no privileges.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
HTTP request smuggling in Apache Tomcat 7.x through 11.x permits unauthenticated remote attackers to manipulate request routing and bypass security controls via malformed chunk extension processing. Exploitation enables header injection, cache poisoning, and request routing manipulation without code execution. Affects Tomcat 7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.115, 10.1.0-M1-10.1.52, and 11.0.0-M1-11.0.18. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Path traversal in flatpak-builder 1.4.5 through 1.4.7 enables arbitrary host file exfiltration through license-files manifest exploitation. Attacker-crafted manifest with symlink manipulation bypasses g_file_get_relative_path() and g_file_query_file_type() validation, allowing reads outside source directory. Successful exploitation requires user interaction (processing malicious manifest) but grants unauthenticated remote attackers high confidentiality impact with no authentication required. Publicly available exploit code exists. CVSS 7.1 reflects network vector with user participation prerequisite.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. This vulnerability stems from an incomplete patch - the fix for CVE-2025-66168 was applied only to 5.19.x branches but omitted from all 6.x releases until 6.2.4. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.
Media stream metadata corruption in Google Chrome for Android prior to 147.0.7727.55 enables remote attackers who have already compromised the renderer process to corrupt media stream metadata via a race condition (CWE-362) in the Media component. Despite a critical CVSS 9.8 score with network-accessible attack vector, real-world exploitation requires pre-compromise of the renderer, and EPSS probability is very low (0.03%, 9th percentile). Vendor patch released in Chrome 147.0.7727.55. No public exploit or active exploitation (KEV) identified at time of analysis. Chromium rates this Low severity, contrasting sharply with the theoretical CVSS rating.
Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the Downloads feature that allows remote attackers to circumvent multi-download protections through a crafted HTML page. The vulnerability requires user interaction (clicking or accepting a download), affects integrity only (no code execution or availability impact), and carries a low Chromium severity rating. EPSS exploitation probability is minimal at 0.02% (3rd percentile), indicating this is primarily a user-experience or policy-enforcement issue rather than a critical security risk.
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
UI spoofing in Google Chrome on iOS prior to version 147.0.7727.55 allows remote attackers to deceive users through malicious HTML pages that manipulate the Omnibox security indicator, enabling phishing or credential theft without code execution. The vulnerability requires user interaction and has low confidentiality impact, reflected in both the CVSS score of 4.3 and minimal EPSS score of 0.03%, indicating limited real-world exploitation likelihood despite public discoverability.
UI spoofing in Google Chrome's Downloads interface prior to version 147.0.7727.55 allows remote attackers to deceive users into performing unintended actions via crafted HTML pages exploiting incorrect security UI rendering. The vulnerability requires user interaction with specific UI gestures on a malicious webpage, resulting in limited integrity impact through visual deception rather than code execution or data exfiltration. Although marked as low severity by Chromium and carrying minimal exploitation probability (EPSS 0.03%), the attack surface is broad given Chrome's prevalence as a target for social engineering.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.
Google Chrome prior to version 147.0.7727.55 contains an inappropriate PDF implementation that allows remote attackers to bypass navigation restrictions via a crafted HTML page. The vulnerability requires user interaction to trigger and offers low real-world risk, with an EPSS score of 0.02% (3rd percentile) indicating minimal exploitation probability despite its network-accessible attack vector. A vendor-released patch is available.
Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.
Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.
UI spoofing in Google Chrome prior to version 147.0.7727.55 allows remote attackers with a compromised renderer process to deceive users through crafted HTML pages. The vulnerability requires prior renderer compromise, limiting real-world exploitation to scenarios where an attacker has already achieved code execution within the browser's sandboxed rendering context. No active exploitation confirmed; EPSS score of 0.03% indicates minimal exploitation probability.
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.
Google Chrome on Windows prior to version 147.0.7727.55 fails to properly validate user input in the Downloads functionality, allowing remote attackers to bypass download restrictions through a crafted HTML page. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but has low real-world impact-it enables integrity bypass only, not code execution or confidentiality breaches. No public exploit code or active exploitation has been identified; the low EPSS score (0.02%) reflects minimal practical risk despite the network attack vector.
Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.
Memory disclosure in Google Chrome on Windows prior to version 147.0.7727.55 allows remote attackers to extract sensitive information from process memory by delivering a crafted HTML page through WebML parsing. The vulnerability stems from insufficient input validation in the WebML component and requires user interaction (visiting a malicious page), making it a moderate-risk information disclosure affecting a ubiquitous browser platform.
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to escape renderer sandbox via malicious HTML page. A remote attacker who has already compromised the renderer process can achieve arbitrary code execution within the sandbox through insufficient input validation in Chrome's Media component. Requires user interaction (visiting crafted page). EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability; no confirmed active exploitation (not in CISA KEV). Vendor patch released in Chrome 147.0.7727.55.
UI spoofing in Google Chrome fullscreen mode prior to version 147.0.7727.55 allows remote attackers to deceive users with crafted HTML pages displaying fake security UI elements, potentially leading to credential theft or malware distribution through trusted-looking interface impersonation. The vulnerability requires user interaction (clicking/navigating to the malicious page) but poses moderate integrity risk due to the deceptive nature of fullscreen UI manipulation. No active exploitation has been confirmed, though the attack vector is straightforward for mass phishing campaigns.
Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the LocalNetworkAccess feature that allows remote attackers to circumvent navigation restrictions by delivering a crafted HTML page. An unauthenticated attacker requires only user interaction (clicking or viewing the malicious page) to trigger the bypass, resulting in integrity compromise of network access policies. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been reported.
Omnibox spoofing in Google Chrome prior to 147.0.7727.55 allows remote attackers with a compromised renderer process to spoof the URL bar contents via crafted HTML, deceiving users about the actual page origin. The vulnerability requires renderer process compromise (post-sandbox-escape condition) and user interaction, limiting real-world exploitation to multi-stage attacks. Patch available in Chrome 147.0.7727.55 and later; EPSS score of 0.03% reflects low autonomous exploitation likelihood despite medium CVSS rating.
UI spoofing via incorrect security UI rendering in Google Chrome's Blink engine allows remote attackers to deceive users into trusting malicious content through crafted HTML pages, affecting Chrome versions prior to 147.0.7727.55. The attack requires user interaction (clicking or viewing the malicious page) but no authentication. While assigned Medium severity by Google and carrying low EPSS exploitation probability (0.03%, 10th percentile), the integrity impact centers on user trust and phishing enablement rather than code execution.
Remote code execution within Chrome's sandbox affects all versions prior to 147.0.7727.55 through a use-after-free vulnerability in the browser's navigation component. Remote attackers can execute arbitrary code by delivering a specially crafted HTML page that triggers memory corruption when a user visits the malicious site. EPSS probability of 0.04% indicates low observed exploitation activity, and no CISA KEV listing confirms this is not confirmed actively exploited at time of analysis. Google has released patches in Chrome 147.0.7727.55.
Side-channel information leakage in Google Chrome's Navigation feature prior to version 147.0.7727.55 allows unauthenticated remote attackers to extract cross-origin data by serving a crafted HTML page. The vulnerability requires user interaction (clicking or navigating to a malicious page) but successfully bypasses same-origin policy protections, exposing sensitive information from different origins. With an EPSS score of 0.03% (10th percentile) indicating very low real-world exploitation probability, this represents a medium-severity information disclosure risk appropriate for routine patching rather than emergency mitigation.
UI spoofing via policy bypass in Blink rendering engine in Google Chrome prior to version 147.0.7727.55 allows remote attackers to deceive users through crafted HTML pages. The vulnerability requires user interaction (clicking or viewing) but needs no authentication, affecting all Chrome users on unpatched versions. Chromium security team rated this as Medium severity; EPSS score of 0.02% indicates low real-world exploitation probability despite public disclosure.
Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox by delivering a malicious HTML page that triggers a use-after-free vulnerability. While rated High severity (CVSS 8.8) due to complete confidentiality/integrity/availability impact, EPSS scoring places exploitation probability at only 4% (11th percentile), indicating low observed targeting in the wild. No confirmed active exploitation (not in CISA KEV) and no public proof-of-concept identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser sandbox via a maliciously crafted HTML page exploiting a type confusion vulnerability in the V8 JavaScript engine. With CVSS 8.8 (High), network-based attack vector requiring only user interaction, and available vendor patch, this represents a significant but contained threat. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability, and no active exploitation or public POC is identified at time of analysis. The sandbox containment limits initial impact severity compared to full system compromise.
Remote code execution in Google Chrome's Skia graphics library (versions prior to 147.0.7727.55) allows remote attackers to execute arbitrary code within the browser's sandbox via specially crafted HTML pages exploiting an integer overflow vulnerability. Google patched this high-severity flaw in Chrome 147.0.7727.55 released April 2026. No active exploitation confirmed (not on CISA KEV), with low EPSS score (0.04%, 11th percentile) indicating minimal observed exploitation activity. Exploitation requires user interaction (visiting malicious webpage) but no authentication, making it viable for drive-by attacks against unpatched Chrome installations.
Heap buffer overflow in WebML (a web markup language component) in Google Chrome prior to version 147.0.7727.55 allows remote attackers to obtain potentially sensitive information from process memory by serving a crafted HTML page. The vulnerability requires no user authentication and can be triggered through normal web browsing, though exploitation has a low probability (EPSS 0.03%) and no public exploit code has been identified.
Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.
Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.
Heap buffer overflow in Google Chrome's WebAudio component prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory by serving a crafted HTML page. The vulnerability has a CVSS score of 6.5 and EPSS probability of 0.03% (8th percentile), indicating low real-world exploitation likelihood despite the network attack vector and lack of user interaction requirements. Vendor-released patch is available.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.
Integer overflow in Google Chrome's WebML component (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption via malicious HTML pages, requiring only user interaction to visit a crafted website. The vendor-assigned severity is Critical, though EPSS indicates only 0.03% probability of exploitation in the wild (9th percentile), and no public exploit identified at time of analysis. Patch available in Chrome 147.0.7727.55 and later.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code by exploiting a heap buffer overflow in the WebML component through specially crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but presents critical risk with high impact to confidentiality, integrity, and availability. EPSS score of 0.03% (9th percentile) indicates low probability of imminent exploitation in the wild, with no public exploit identified at time of analysis and no CISA KEV listing confirming active exploitation.
Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.
Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization administrators to force the Quay server to make unvalidated network requests to internal services, cloud infrastructure endpoints, or otherwise restricted resources by supplying a crafted upstream registry hostname. With CVSS 5.2 and high confidentiality impact, this vulnerability requires administrator privileges and user interaction but poses significant risk to internal network exposure; no public exploit code or active exploitation (KEV) confirmed at time of analysis.
Authenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deserialization (CWE-502) of resumable container image layer upload state stored in the database. An attacker with the privileges needed to initiate image uploads can tamper with intermediate upload data to execute arbitrary code on the Quay server. No public exploit identified at time of analysis; EPSS is low (0.06%) and CISA SSVC marks exploitation status as none, though technical impact is rated total.
Red Hat Quay's container image upload mechanism allows authenticated users with push privileges to interfere with concurrent uploads by other users across the entire registry, enabling unauthorized read, modification, or cancellation of in-progress uploads in repositories they cannot access. This cross-repository attack vector affects Red Hat Quay 3.x and Mirror Registry deployments. EPSS score of 0.03% (8th percentile) indicates low predicted exploitation probability in the wild, and CISA SSVC framework rates this as non-automatable with no known exploitation, suggesting targeted risk rather than widespread threat despite the 7.4 CVSS score.
Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.
Algorithmic complexity denial of service in Go's crypto/x509 library allows remote attackers to cause resource exhaustion via certificate chains containing excessive policy mappings. Affects Go versions <1.25.9 and 1.26.0-1.26.1. Attack requires no authentication (CVSS AV:N/PR:N) but targets only otherwise-trusted certificate chains from roots in the system or configured trust store. EPSS score 0.01% indicates minimal observed exploitation probability. No active exploitation confirmed (not in CI
Denial of service via unbounded memory allocation in Go's archive/tar package when parsing maliciously-crafted tar archives containing many sparse regions in old GNU sparse map format. Affects Go standard library versions prior to 1.25.9 and 1.26.2. Local attackers with user interaction can exhaust system memory, crashing applications that process untrusted tar files. No public exploit code identified; EPSS score of 0.01% indicates very low exploitation probability despite moderate CVSS severity.
Integer overflow in Go compiler's loop optimization (cmd/compile 1.25.x < 1.25.9, 1.26.x < 1.26.2) allows remote code execution through crafted source code that triggers invalid array indexing at runtime. Attack vector is network-accessible (AV:N) with no authentication required (PR:N), enabling attackers to compile malicious Go programs that exploit compiler-generated memory corruption vulnerabilities. EPSS score of 0.01% (1st percentile) indicates low observed exploitation probability despite
Memory corruption in Go compiler cmd/compile versions before 1.25.9 and 1.26.0-1.26.1 allows local authenticated attackers to achieve integrity compromise and denial of service. A flaw in pointer unwrapping logic during memory move operations causes the compiler to incorrectly assess overlapping memory regions, potentially corrupting compiled binaries. EPSS score of 0.01% indicates minimal real-world exploitation probability, and no public exploit or active exploitation (non-KEV) has been identified at time of analysis.
Cross-site scripting (XSS) vulnerability in Go's html/template package allows incorrect escaping of template actions within JavaScript template literals, enabling attackers to inject malicious scripts when template branches and brace-depth tracking are mishandled. Affects html/template versions prior to 1.26.2 and 1.25.9. The vulnerability requires user interaction (UI:R) and is not actively exploited based on available intelligence, though the low EPSS score (0.01%) indicates minimal real-world exploitation likelihood despite the network-accessible attack vector.
Time-of-check-time-of-use (TOCTOU) race condition in Go's internal/syscall/unix Root.Chmod allows local privileged attackers to modify file permissions on targets outside the intended root filesystem boundary. By replacing the target with a symlink between the permission check and the actual chmod operation, attackers can exploit the Linux fchmodat syscall's behavior of silently ignoring AT_SYMLINK_NOFOLLOW to modify arbitrary files outside the restricted root. Exploitation requires high privileges and precise timing; EPSS score of 0.01% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Arbitrary file deletion in Flatpak versions prior to 1.16.4 allows sandboxed applications to delete files on the host system via path traversal during ld.so cache cleanup. The vulnerability stems from improper validation of application-controlled paths when removing outdated cache files, enabling applications to escape sandbox constraints and delete arbitrary host files. No active exploitation or public exploit code is confirmed at time of analysis, though the technical barrier is low given the CVSS vector shows network-accessible attack with low complexity and no authentication required.
Aardvark-dns enters an unrecoverable infinite error loop consuming 100% CPU when processing a truncated TCP DNS query followed by a connection reset, causing denial of service to DNS resolution services. The vulnerability affects the aardvark-dns container DNS service and requires local network access to trigger. No public exploit code or active exploitation has been identified, but the trivial attack vector (malformed DNS packets) and high CPU impact make this a practical denial-of-service risk for containerized deployments.
Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.
Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.
Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.
Denial of service in OpenPrinting CUPS 2.4.16 and prior allows unprivileged local users to crash the cupsd root process via integer underflow in _ppdCreateFromIPP() by supplying a negative job-password-supported IPP attribute, which wraps to a large size_t value and triggers a stack buffer overflow in memset(). When combined with systemd's automatic restart mechanism, an attacker can sustain repeated crashes without requiring elevated privileges or user interaction.
Authenticated denial of service via CQL in Apache Cassandra 4.0 through 5.0 allows authenticated users to elevate query latencies by repeatedly changing passwords, disrupting service availability for legitimate users. The vulnerability affects Cassandra 4.0.0-4.0.19, 4.1.0-4.1.10, and 5.0.0-5.0.6. Vendor-released patches are available (4.0.20, 4.1.11, 5.0.7). With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite the moderate CVSS score of 6.5, reflecting the requirement for prior authentication and the low likelihood of widespread abuse.
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.
Improper certificate validation in Red Hat's Open Cluster Management (OCM) and Multicluster Engine for Kubernetes allows managed cluster administrators with high-level local access to forge client certificates, achieving cross-cluster privilege escalation to other managed clusters including the hub cluster. The CVSS 8.2 rating reflects high impact across confidentiality, integrity, and availability with scope change, though exploitation requires existing high-privilege local access (PR:H) and local attack vector (AV:L). No public exploit code or CISA KEV listing identified at time of analysis, though technical details are publicly documented in researcher blog post.
Unbounded memory consumption in Django ASGI applications allows unauthenticated remote attackers to bypass DATA_UPLOAD_MAX_MEMORY_SIZE protections via malformed Content-Length headers, leading to denial of service. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. CVSS 7.5 (High) with network-accessible, low-complexity attack vector requiring no privileges. EPSS data not available; no public exploit identified at time of analysis. Vendor patches released April 2026 across all affected major branches.
Django's MultiPartParser allows authenticated remote attackers to cause denial of service through performance degradation by submitting multipart uploads with Content-Transfer-Encoding: base64 and excessive whitespace. Affected versions include Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30, with unsupported series 5.0.x, 4.1.x, and 3.2.x potentially also vulnerable. The vulnerability has a CVSS 6.5 score reflecting high availability impact but requires authentication (PR:L) and is not actively exploited or publicly weaponized at analysis time.
Unauthenticated attackers can bypass add permissions in Django GenericInlineModelAdmin (versions 6.0 <6.0.4, 5.2 <5.2.13, 4.2 <4.2.30) by submitting forged POST data to inline model forms. Permission checks fail to validate creation rights on inline model instances, enabling unauthorized database record insertion with network access alone. CVSS 9.8 critical severity reflects complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).
Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.
Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.
MLflow through version 3.10.1 allows authenticated users to bypass authorization controls and download model artifacts from experiments they lack permission to access via an unprotected AJAX endpoint. The vulnerability requires valid MLflow authentication but no special privileges, enabling lateral access to restricted experiment data. Patch availability confirmed via upstream pull request; CISA SSVC assessment indicates partial technical impact with automatable exploitation path but no confirmed active exploitation.
Stored cross-site scripting (XSS) in MLflow through version 3.10.1 allows authenticated attackers to inject malicious payloads via YAML-based MLmodel artifacts that execute when other users view the artifact in the web interface, enabling session hijacking or unauthorized actions on behalf of victims. CVSS 5.1 reflects low severity due to authentication requirement and user interaction; SSVC framework rates exploitation as none, automatable as no, and technical impact as partial. Upstream fix is available in a GitHub PR, though no formally released patched version has been independently confirmed from provided data.
NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.
Signed integer overflow in OpenEXR's undo_pxr24_impl() function allows unauthenticated remote attackers to bypass buffer bounds checks and trigger heap buffer overflow during EXR file decoding, potentially causing denial of service or limited data corruption when processing maliciously crafted EXR files. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.8. No public exploit code or active exploitation has been confirmed at the time of analysis.
Integer overflow in OpenEXR 3.4.0-3.4.8 allows remote attackers to crash applications processing malicious EXR files via a negative dataWindow.min.x value in the file header, triggering a signed integer overflow in generic_unpack() that causes process termination with SIGILL. The vulnerability requires user interaction (opening a crafted file) and affects availability only, with no confirmed active exploitation at time of analysis.
Server-Side Request Forgery (SSRF) in distribution container toolkit versions before 3.1.0 enables credential theft via malicious upstream registry responses. When operating in pull-through cache mode, distribution parses WWW-Authenticate bearer challenges from upstream registries without validating the realm URL against the configured upstream host. Attackers controlling the upstream registry or positioned for man-in-the-middle attacks can specify arbitrary realm URLs, causing distribution to transmit configured upstream credentials via basic authentication to attacker-controlled endpoints (CVSS 7.5, High confidentiality impact). EPSS data and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only network access with low complexity (AV:N/AC:L) and no authentication (PR:N).