Information Disclosure
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security.
How It Works
Information disclosure occurs when an application unintentionally exposes sensitive data that aids attackers in reconnaissance or directly compromises security. This happens through multiple channels: verbose error messages that display stack traces revealing internal paths and frameworks, improperly secured debug endpoints left active in production, and misconfigured servers that expose directory listings or version control artifacts like .git folders. APIs often leak excessive data in responses—returning full user objects when only a name is needed, or revealing system internals through metadata fields.
Attackers exploit these exposures systematically. They probe for common sensitive files (.env, config.php, backup archives), trigger error conditions to extract framework details, and analyze response timing or content differences to enumerate valid usernames or resources. Even subtle variations—like "invalid password" versus "user not found"—enable account enumeration. Exposed configuration files frequently contain database credentials, API keys, or internal service URLs that unlock further attack vectors.
The attack flow typically starts with passive reconnaissance: examining HTTP headers, JavaScript bundles, and public endpoints for version information and architecture clues. Active probing follows—testing predictable paths, manipulating parameters to trigger exceptions, and comparing responses across similar requests to identify information leakage patterns.
Impact
- Credential compromise: Exposed configuration files, hardcoded secrets in source code, or API keys enable direct authentication bypass
- Attack surface mapping: Stack traces, framework versions, and internal paths help attackers craft targeted exploits for known vulnerabilities
- Data breach: Direct exposure of user data, payment information, or proprietary business logic through oversharing APIs or accessible backups
- Privilege escalation pathway: Internal URLs, service discovery information, and architecture details facilitate lateral movement and SSRF attacks
- Compliance violations: GDPR, PCI-DSS, and HIPAA penalties for exposing regulated data through preventable disclosures
Real-World Examples
A major Git repository exposure affected thousands of websites when .git folders remained accessible on production servers, allowing attackers to reconstruct entire source code histories including deleted commits containing credentials. Tools like GitDumper automated mass exploitation of this misconfiguration.
Cloud storage misconfigurations have repeatedly exposed sensitive data when companies left S3 buckets or Azure Blob containers publicly readable. One incident exposed 150 million voter records because verbose API error messages revealed the storage URL structure, and no authentication was required.
Framework debug modes left enabled in production have caused numerous breaches. Django's DEBUG=True setting exposed complete stack traces with database queries and environment variables, while Laravel's debug pages revealed encryption keys through the APP_KEY variable in environment dumps.
Mitigation
- Generic error pages: Return uniform error messages to users; log detailed exceptions server-side only
- Disable debug modes: Enforce production configurations that suppress stack traces, verbose logging, and debug endpoints through deployment automation
- Access control audits: Restrict or remove development artifacts (
.git, backup files,phpinfo()) and internal endpoints before deployment - Response minimization: API responses should return only necessary fields; implement allowlists rather than blocklists for data exposure
- Security headers: Deploy
X-Content-Type-Options, remove server version banners, and disable directory indexing - Timing consistency: Ensure authentication and validation responses take uniform time regardless of input validity
Recent CVEs (66674)
Timing oracle in NocoDB's shared-view password authentication allows a network-positioned attacker to recover legacy plaintext passwords character-by-character through response time measurement. Affected installations are those where shared-view passwords were set before the bcrypt migration - passwords stored as bcrypt hashes (prefixed $2a$/$2b$) were never vulnerable. The strict-equality (===) JavaScript comparison leaked both password length and per-character prefix timing, enabling incremental brute-force without any prior authentication. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Uninitialized heap read in 7-Zip's SquashFS archive handler (versions 9.18 through 26.00) can crash the application and leak raw heap memory contents when a user opens a specially crafted archive. The flaw originates in the `_blockToNode` array, which is allocated but never zero-initialized; an attacker-controlled `blockIndex` derived from the RootInode superblock field drives a binary search over uninitialized slots, producing a chained out-of-bounds read with no write primitive. No public exploit has been identified at time of analysis, and the description explicitly characterizes exploitation as heap-layout-dependent and not reliably triggerable, which is consistent with the CVSS AC:H rating and limits practical risk despite the network-deliverable attack surface.
Off-by-one heap out-of-bounds read in 7-Zip's WIM archive handler (versions 9.34-26.00) allows a remote unauthenticated attacker to trigger denial of service - and potentially minor information disclosure - by delivering a crafted WIM file. The vulnerability is zero-click exploitable in the GUI: 7zFM.exe automatically calls GetRawProp(kpidNtSecure) for every listed item, triggering the OOB read without any additional user interaction beyond opening or navigating to the malicious archive. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users with the low-privileged Reader role to read the ImportedClusterSecrets resource and exfiltrate the full CA private key bundle (Kubernetes, etcd, Talos, and service-account keys) of imported Talos clusters whose secrets have not been rotated. With those keys, attackers can mint cluster-admin certificates and seize complete control of the downstream cluster outside Omni's control plane. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
### Impact If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity.
Heap out-of-bounds read in 7-Zip versions 9.11 through 26.00 exposes up to 3 bytes of heap memory during UDF disc image parsing, triggering when a user opens or extracts a crafted .iso or .udf file. Impact is constrained to a 1-bit information-disclosure oracle per out-of-bounds byte (inferred from open/fail behavior) and potential denial of service under hardened allocators; no write primitive exists. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS Low score of 3.1 accurately reflects the limited real-world severity.
Uninitialized heap memory disclosure in 7-Zip's UEFI capsule (.scap) parser exposes potentially sensitive heap contents when an unauthenticated remote attacker delivers a crafted capsule file that a user opens. The OpenCapsule function allocates a heap buffer sized by the attacker-controlled CapsuleImageSize field without zero-initialization, then silently ignores read failures on truncated files, causing the unread tail - containing raw heap data - to be surfaced as extracted file content. Affecting versions 9.21 through 26.00, a fix is available in 26.0.1; no public exploit code has been identified at time of analysis.
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.
Heap memory disclosure in 7-Zip 9.34 through 26.00 (32-bit builds only) allows a remote unauthenticated attacker to leak arbitrary heap contents into attacker-controlled extracted files by supplying a crafted SquashFS archive. The root cause is a 32-bit integer overflow in the SquashFS ReadBlock function: because size_t is 32 bits on 32-bit builds, the addition of offsetInBlock and blockSize wraps modulo 2³², bypassing the fragment bounds check and directing memcpy to read heap memory preceding the intended cache buffer. No public exploit has been identified at time of analysis, and no CISA KEV listing exists. Version 26.01 patches the issue.
Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to perform system footprinting by analyzing observable discrepancies in server responses. The CVSS 9.1 score reflects high confidentiality and integrity impact over the network with no authentication required, though no public exploit identified at time of analysis. The vulnerability was reported by Turkey's national CERT (TR-CERT), suggesting it primarily affects deployments within Turkey's defense and government sectors where HAVELSAN products are commonly used.
Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Hash collision via field-boundary ambiguity in thedotmack/claude-mem through 11.0.1 allows a local low-privilege attacker to cause two semantically distinct observation records to produce identical content hashes, corrupting the SQLite-backed deduplication and integrity logic. The root cause is delimiter-free concatenation of three input fields in `computeObservationContentHash`, meaning different distributions of characters across `memorySessionId`, `title`, and `narrative` yield the same hash input and thus the same digest. No public exploit exists and exploitation is not confirmed actively in the wild; vendor-released fix version 12.0.0 is available.
Weak cache key construction in onnx-mlir's torch backend (versions up to 0.5.0.0) omits tensor data type (dtype) from placeholder node hash keys, enabling cache collisions between semantically distinct nodes. A locally authenticated attacker with high-complexity manipulation can cause the compiler to incorrectly reuse cached compilation results across mismatched dtypes, yielding low-integrity and low-availability impacts. No public exploit is identified at time of analysis; the upstream fix is confirmed via commit 72c5187 and PR #3427.
Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.
Use-after-free read in X.Org X server and Xwayland's CreateSaverWindow() function exposes heap memory to local authenticated users, resulting in information disclosure. A low-privileged local X client can manipulate window attributes and force screen saver activation to trigger a read from freed memory, leaking potentially sensitive heap contents (C:H/I:N/A:N). No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, an upstream fix commit has been published and a Red Hat advisory is available.
Out-of-bounds read in X.Org X server and Xwayland's GLX extension handler `__glXDisp_ChangeDrawableAttributes()` allows a local low-privileged user to disclose sensitive memory contents from the X server process. Faulty size validation permits reading a client-controlled number of bytes beyond the request buffer boundary, resulting in high confidentiality impact per CVSS. A secondary write path exists in the same function but is gated behind byte-swapped client support, which is disabled by default, substantially limiting its practical exposure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Cryptographic weaknesses in the linqi application (versions ≤1.4.8.5) allow local attackers with low-level privileges to decrypt sensitive obfuscated configuration data, including database connection strings stored in appsettings.json. The flaw combines hardcoded cryptographic keys (CWE-321) with a weak, limited-ASCII-charset algorithm for dynamically generating AES/CBC Initialization Vectors, enabling known-plaintext attacks. No public exploit identified at time of analysis, and the CVE is not present in CISA KEV, but the CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact.
Out-of-bounds memory access in Samsung Android USB Driver for Windows (all versions prior to 1.9.5.0) allows a local attacker without elevated privileges to corrupt or read memory beyond allocated bounds, resulting in high availability impact and low integrity impact on the affected Windows host. Samsung has released version 1.9.5.0 as the corrective patch, documented under EUVD-2026-34810. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis, though the CVSS 4.0 AT:P modifier signals a required target-specific condition that narrows exploitability.
Improper input validation in Samsung Members prior to version 5.8.01.5 allows local authenticated attackers to access arbitrary URLs and launch arbitrary Android activities using Samsung Members' application privileges. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms local access with low privileges and no additional preconditions, with the score of 6.9 reflecting a high availability impact on the vulnerable component alongside low integrity impact. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the ability to hijack privileged activity launches on Samsung devices makes it a meaningful local privilege-chaining vector.
Improper input validation in Samsung Plus TV prior to version 1.0.28.6 exposes sensitive information to unauthenticated remote attackers, requiring only passive user interaction. The CVSS 4.0 vector reveals a notable scope discrepancy: while the vulnerable component itself suffers only low confidentiality impact (VC:L), the subsequent system scope carries high confidentiality, integrity, and availability ratings (SC:H/SI:H/SA:H), suggesting that exploiting the Samsung Plus TV app can cascade into broader system-level compromise on the affected device. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Samsung Auto for Android exposes audio configuration functionality through improperly exported application components, allowing a local attacker with low privileges to arbitrarily modify audio settings without authorization. Affected versions are Samsung Auto prior to 3.1.2.61 on Android 15 and prior to 3.2.0.38 on Android 16, as confirmed by the Samsung Mobile vendor advisory and EUVD-2026-34806. No public exploit is identified at time of analysis and this vulnerability has not been added to the CISA KEV catalog, placing it at low real-world priority despite the straightforward local attack path.
Improper export of the ExpressHomeWidgetReceiver Android component in Samsung Assistant (prior to version 9.3.14) enables a local attacker without special privileges to send crafted intents to the exposed receiver and execute arbitrary scripts on the device. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) with a local attack vector - an on-device malicious application is a realistic threat model. No public exploit has been identified and this CVE does not appear in CISA KEV at time of analysis.
Improper export of the SmartHomeWidgetReceiver Android component in Samsung Assistant prior to version 9.3.14 allows a local attacker without any privileges to send crafted intents directly to the exposed receiver and execute arbitrary scripts. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) constrained to the local attack surface (AV:L), aligning with the 'Information Disclosure' tag. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Improper access control in the MediaTek Audio HAL on Samsung Mobile Devices running Android 14, 15, and 16 permits local unprivileged attackers to invoke restricted privileged functions within the audio subsystem. The CVSS 4.0 subsequent system impact is rated High across confidentiality, integrity, and availability (SC:H/SI:H/SA:H), indicating that successful exploitation can cascade well beyond the Audio HAL itself to compromise broader device system components. No public exploit identified at time of analysis; Samsung has released a fix in SMR Jun-2026 Release 1.
Improper Android component export in Samsung's Galaxy Editing Service exposes privileged operations to local, low-privileged attackers on Android 14, 15, and 16 devices prior to SMR Jun-2026 Release 1. A malicious app installed on the device can directly invoke these exported components - bypassing intended permission controls - to execute operations with elevated privileges, resulting in high integrity impact on the vulnerable system. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Improper access control in the AuditLogService component of Samsung Mobile Devices running Android 16 exposes sensitive audit log information to local attackers. The flaw, disclosed and patched by Samsung Mobile as part of their June 2026 Security Maintenance Release (SMR Jun-2026 Release 1), enables a local attacker without special privileges to both read and potentially modify sensitive data surfaced by the audit logging subsystem. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
ImsSettings on Samsung Mobile Devices (Android 14, 15, 16) exposes an improperly exported Android application component, enabling locally authenticated low-privilege attackers to invoke the component and trigger its logging function, resulting in limited information disclosure. The vulnerability is patched in Samsung's SMR Jun-2026 Release 1 and is reported exclusively by Samsung Mobile. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the narrow, local-only impact.
Improper export of Android application components in Samsung's SpriteWallpaper app enables local attackers without privileges to access sensitive information and achieve disproportionately high impact on subsequent system components. Devices running Android 16 prior to the SMR Jun-2026 Release 1 security update are affected. No public exploit has been identified at time of analysis, but the zero-privilege local requirement and high subsequent system impact (SC:H/SI:H/SA:H) elevate practical risk on shared or managed Android devices.
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 permits local attackers to access sensitive information without requiring prior privileges or user interaction. Affecting devices running Android 14, 15, and 16, the flaw stems from improper access controls within the telephony subsystem. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the low attack complexity and absence of privilege prerequisites lower the bar for local exploitation.
Improper privilege handling in Samsung's SecTelephonyProvider component allows local attackers on Samsung Mobile Devices to access files that should be restricted to privileged processes. Affected devices run Android 14, 15, and 16 prior to the SMR Jun-2026 Release 1 patch, spanning the full current Samsung Android support matrix. No public exploit code exists and no KEV listing has been issued; the CVSS 4.0 score of 4.6 reflects constrained real-world impact due to required local access and active user interaction.
Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed.
Information disclosure in Red Hat Build of Keycloak's group members endpoint allows a highly privileged but delegated administrator to bypass explicitly configured user profile attribute access controls. An administrator granted only delegated read access to group memberships and user data can invoke the group members API endpoint to retrieve user attributes that have been administratively denied to that role, circumventing the intended granularity of access control. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the CVSS score of 2.7 (Low) reflects the high privilege prerequisite and limited confidentiality impact.
Inefficient algorithmic complexity in bytedance InfiniStore up to version 0.2.33 allows a local, low-privileged attacker to partially degrade availability by triggering worst-case execution in the purge_kv_map function. The CVSS vector (AV:L/AC:L/PR:L/UI:N/A:L) confirms limited blast radius - local-only access with no confidentiality or integrity impact - but a public proof-of-concept exists per the GitHub issue tracker and is reflected in the E:P temporal modifier. No patch has been issued; the vendor has not responded to the coordinated disclosure.
UI spoofing via Chrome's History component (versions prior to 149.0.7827.53) lets an unauthenticated remote attacker deceive users through a crafted HTML page, exploiting insufficient policy enforcement in History navigation handling. The attacker can manipulate browser UI elements perceived by the victim, creating phishing-class deception without any confidentiality or availability impact - consistent with Chromium's own 'Low' severity rating. No public exploit code exists and EPSS sits at 0.03% (11th percentile), indicating very low probability of in-the-wild exploitation at time of analysis.
Out-of-bounds memory access in Google Chrome's LiveCaption component prior to version 149.0.7827.53 allows a remote attacker to read beyond allocated buffers by delivering crafted network traffic to a user with the feature in use. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, though Google's Chromium tracker rated severity Low while NVD's CVSS scored it 8.8 High - a notable disparity worth weighing when prioritizing.
UI spoofing in Google Chrome's Permissions subsystem prior to version 149.0.7827.53 enables remote unauthenticated attackers to misrepresent the browser's permission interface by delivering a crafted HTML page to a victim. The flaw (CWE-451) results in low-integrity impact - the attacker can deceive a user into perceiving a false permissions state, potentially manipulating consent decisions. No public exploit code exists, EPSS is 0.03% (8th percentile), CISA SSVC rates exploitation as none, and Chromium's own severity assessment is Low, placing this firmly in the routine-patching tier rather than an urgent response priority.
Integer overflow in Google Chrome's Fonts component (versions prior to 149.0.7827.53) enables remote attackers to read out-of-bounds process memory, potentially leaking sensitive in-memory data such as credentials or tokens. Exploitation is constrained by a mandatory user-interaction requirement - a victim must visit a specially crafted HTML page - and Chromium's own severity rating of Low tempers urgency relative to the NVD CVSS Medium score. No public exploit identified at time of analysis, and EPSS stands at 0.03% (11th percentile), indicating very low near-term exploitation probability.
UI spoofing in Google Chrome's Passwords component (all versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to visually mislead users via a crafted HTML page, exploiting CWE-451 misrepresentation of critical UI information. The integrity-only impact (CVSS I:L, C:N, A:N) is consistent with a spoofed password prompt or save dialog that could trick users into revealing credentials or accepting malicious input. No public exploit code exists, EPSS is 0.03% (11th percentile), and CISA has not added this to KEV, making this a low operational priority despite being network-reachable.
Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 arises from insufficient policy enforcement in the CSS subsystem, allowing unauthenticated remote attackers to read data across origin boundaries by directing a user to a crafted HTML page. The CVSS vector scores high confidentiality impact (C:H) with no privileges required (PR:N), though mandatory user interaction (UI:R) is a prerequisite. No public exploit has been identified at time of analysis, EPSS probability is very low at 0.03% (11th percentile), and Chromium's own internal severity rating is 'Low' - all signals consistent with limited real-world exploitation risk despite the elevated CVSS confidentiality impact.
UI spoofing in Google Chrome's Wallet component (versions prior to 149.0.7827.53) permits a remote attacker who has already achieved renderer process compromise to manipulate the browser's payment/credential interface by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) scores this at 4.3 Medium, but the explicit renderer-compromise prerequisite in the description significantly narrows real-world attack surface beyond what those scores imply. No public exploit identified at time of analysis, EPSS sits at 0.05% (15th percentile), there is no CISA KEV listing, and Google's own Chromium team rates this Low severity - all signals converging on limited exploitation likelihood.
UI spoofing in Google Chrome for iOS prior to version 149.0.7827.53 enables a remote unauthenticated attacker to misrepresent critical browser interface elements through a crafted HTML page, requiring only that the victim visit the malicious page. The vulnerability stems from an inappropriate implementation specific to the iOS platform build of Chrome (CWE-451), with impact limited to integrity - no confidentiality or availability loss. No public exploit identified at time of analysis; EPSS sits at 0.03% (11th percentile) and Chromium's own severity rating is Low, aligning with the constrained real-world impact.
Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.
Sandbox escape in Google Chrome on Linux prior to version 149.0.7827.53 allows remote attackers to potentially break out of the renderer sandbox via a crafted HTML page when a user visits an attacker-controlled site. The flaw stems from insufficient policy enforcement in the Linux sandbox implementation and carries a high CVSS of 9.6 due to scope change, though Chromium itself rates the security severity as Low. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Integer overflow in Chrome's Chromoting (Remote Desktop) component on Windows exposes process memory contents to local authenticated attackers via crafted ETW (Event Tracing for Windows) events. Affected versions are all Chrome releases on Windows prior to 149.0.7827.53. With CVSS confidentiality impact rated High and no public exploit identified at time of analysis, the practical risk is constrained by the local access and user interaction requirements, though sensitive data such as credentials or session tokens resident in process memory could be disclosed. EPSS score of 0.01% (1st percentile) confirms low observed exploitation probability.
UI spoofing in Google Chrome on iOS (prior to 149.0.7827.53) allows an unauthenticated remote attacker to present a deceptive interface to users by serving a crafted HTML page, specifically targeting the Signin flow. The root cause is an inappropriate implementation classified under CWE-20 (Improper Input Validation), meaning Chrome fails to sufficiently validate or constrain inputs that influence the rendered signin UI. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.05% (15th percentile) indicates very low near-term exploitation probability, consistent with the Low Chromium severity rating.
Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.
Cross-origin data leakage via Chrome's CustomTabs component on Android exposes confidential web content to attackers who can deliver a crafted HTML page to a victim. Affected versions are all Chrome for Android releases prior to 149.0.7827.53. Despite Chromium's internal 'Low' severity rating, the CVSS confidentiality impact is scored High (C:H), and user interaction is required (UI:R) - meaning exploitation depends on a victim opening attacker-controlled content. No public exploit code exists and no active exploitation has been identified; EPSS at 0.01% (1st percentile) corroborates low near-term exploitation likelihood.
Cross-origin data leakage in Google Chrome's Passwords component (all versions prior to 149.0.7827.53) allows an unauthenticated remote attacker to read sensitive cross-origin information by serving a crafted HTML page and social-engineering the victim into performing specific UI gestures. The CVSS score of 6.5 reflects high confidentiality impact (C:H), though the attack is gated by mandatory user interaction, which materially limits real-world exploitability. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at just 0.03% (11th percentile), and the Chromium security team rated this vulnerability Low severity - all signals consistent with a narrowly exploitable information disclosure rather than a broad critical threat.
Cross-origin data leakage in Google Chrome's ANGLE graphics layer on Windows allows a remote unauthenticated attacker to read sensitive cross-origin memory contents by delivering a crafted HTML page to a victim. Affected are all Chrome versions on Windows prior to 149.0.7827.53. The root cause is an uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics abstraction library. No public exploit has been identified at time of analysis, EPSS is very low at 0.03% (11th percentile), and the vulnerability is not listed in the CISA KEV catalog, consistent with the vendor's own 'Low' severity rating.
Cross-origin data leakage in Google Chrome for Android prior to 149.0.7827.53 exposes sensitive information through insufficient policy enforcement in the WebAuthentication (WebAuthn) component. An attacker who has already achieved renderer process compromise can exploit this gap to extract cross-origin data by delivering a crafted HTML page to a victim, requiring user interaction. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at a low 0.05% (16th percentile), consistent with Google's own 'Low' severity classification for Chromium.
UI spoofing in Google Chrome's PDF implementation prior to version 149.0.7827.53 can be triggered by a remote attacker who has already compromised the renderer process, using a crafted HTML page to mislead users through false interface elements. The vulnerability is rated Low severity by the Chromium security team, with a CVSS score of 4.3, and carries a negligible exploitation probability (EPSS 0.05%, 15th percentile). No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog, making real-world exploitation highly unlikely outside of sophisticated, chained attack scenarios.
Sandbox escape in Google Chrome's GPU process prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers an integer overflow. The flaw, tagged as a buffer overflow with information disclosure potential, requires user interaction and a chained renderer compromise, and no public exploit has been identified at time of analysis despite Chromium rating the underlying severity as Low.
Cross-origin data leakage in Google Chrome's Storage Access API affects desktop versions prior to 149.0.7827.53, enabling a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin information via a specially crafted HTML page. Google rates the underlying Chromium severity as Low, though NVD assigns CVSS 7.5 due to the unauthenticated network vector, and no public exploit identified at time of analysis.
UI spoofing in Google Chrome's Permissions implementation prior to version 149.0.7827.53 allows a remote, unauthenticated attacker to deceive users through manipulated browser permission dialogs via a crafted HTML page. Exploitation requires user interaction - a victim must visit a malicious page - and the real-world impact is limited to low-integrity outcomes such as misleading users into granting or denying permissions under false pretenses. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Cross-origin data leakage in Google Chrome's Permissions subsystem (prior to 149.0.7827.53) enables remote unauthenticated attackers to read data across origin boundaries via a crafted HTML page. The flaw, classified as a race condition (CWE-362) in the Permissions implementation, undermines the browser's Same-Origin Policy enforcement - a foundational web isolation mechanism. No public exploit identified at time of analysis; a vendor-released patch is available in version 149.0.7827.53, and Google has rated this Low severity in Chromium security terms.
Information disclosure in Google Chrome DevTools prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The flaw stems from a use-after-free condition (CWE-416) in DevTools, and while Google rates the underlying Chromium severity as Low, the NVD CVSS of 9.6 reflects the cross-origin scope change possible when chained with a prior renderer compromise. No public exploit identified at time of analysis.
Cross-origin data leakage in Google Chrome's CustomTabs component on Android exposes sensitive information to remote attackers via a crafted HTML page. Affected versions are all Chrome for Android releases prior to 149.0.7827.53, where insufficient policy enforcement in the CustomTabs API fails to uphold cross-origin isolation guarantees. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed); the EPSS score of 0.03% (11th percentile) and a CVSS score of 3.1 (Low) together indicate low real-world exploitation likelihood.
UI spoofing in Google Chrome's Payments component prior to version 149.0.7827.53 enables a remote unauthenticated attacker to mislead users about payment interface elements via a crafted HTML page. The vulnerability stems from inappropriate implementation logic (CWE-451) that allows visual misrepresentation of critical payment-related UI, potentially facilitating phishing or payment fraud against end users who interact with a malicious page. No public exploit code has been identified at time of analysis, and Chromium's internal severity rating is Low, consistent with its limited integrity-only, user-interaction-dependent impact.
Cross-origin data disclosure in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to leak data across origin boundaries by serving a crafted HTML page through the Plugins component. No public exploit has been identified at time of analysis, and Chromium rates the underlying issue as Low severity despite the NVD CVSS of 7.5. The flaw stems from insufficient validation of untrusted input (CWE-20) within Chrome's plugin handling path.
Improper authorization in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows authenticated remote attackers with low privileges to manipulate the `page` argument on the `/admin/` endpoint, bypassing access controls and gaining unauthorized access to administrative functionality. The CVSS 4.0 vector (PR:L) confirms exploitation requires a valid low-privileged account rather than unauthenticated access. Publicly available exploit code exists (E:P in CVSS 4.0 vector, corroborated by a published Medium writeup), though the overall severity is rated Low (2.1) due to limited confidentiality, integrity, and availability impact with no scope change to subsequent systems.
Arbitrary file access in Mimecast Incydr versions before 2.6.0 exposes endpoints to unauthorized read and write operations against files outside the application's intended scope, rooted in incorrect permission assignments (CWE-732). The CVSS 3.1 Changed Scope indicator (S:C) confirms that exploitation can reach resources beyond the Incydr agent boundary - meaningful given that Incydr is itself an insider risk monitoring platform that may store sensitive activity logs and configuration on the endpoint. Mimecast has released version 2.6.0 as the fix; no public exploit identified at time of analysis.
HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
UI spoofing in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to deceive users via a crafted HTML page through insufficient input validation in the Media component. The flaw carries a CVSS of 8.3 due to scope change and high impact ratings, though Chromium internally rates the severity as Low, and no public exploit identified at time of analysis. Exploitation requires a pre-existing renderer compromise and user interaction, narrowing realistic risk despite the elevated CVSS.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing Web Bluetooth policy enforcement. The flaw requires user interaction and a pre-existing renderer compromise, and no public exploit identified at time of analysis. Despite a CVSS of 8.3, EPSS is only 0.03% (10th percentile) and CISA SSVC marks exploitation status as 'none', indicating low real-world exploitation likelihood at present.
UI spoofing via malicious network traffic in Google Chrome's TabGroups feature (all versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent browser interface elements to victims, exploiting CWE-451 (UI Misrepresentation of Critical Information). The CVSS 5.4 score reflects limited but real confidentiality and availability impact (C:L/A:L), with Chromium's own severity team rating it Low. No public exploit identified at time of analysis, and Google has released a remediation in the 149.0.7827.53 stable channel update.
UI spoofing in Google Chrome's File Input component allows remote unauthenticated attackers to misrepresent interface elements when a user is socially engineered into performing specific UI gestures on a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.53. The vulnerability carries a Chromium-assigned severity of Low and is limited to integrity impact (I:L) with no confidentiality or availability consequences. No public exploit code exists and no active exploitation is confirmed at time of analysis.
Tab Hover Cards in Google Chrome prior to 149.0.7827.53 render domain names incorrectly, enabling a remote unauthenticated attacker to spoof displayed domain identity via a crafted domain name, misleading users about the true destination of a browser tab. CVSS rates Integrity impact as High (I:H), reflecting the real deception potential in phishing scenarios, while Chromium itself labels this Low severity - a notable contrast worth flagging. No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) reflects minimal current exploitation interest.
Domain spoofing in Google Chrome's WebUI component (versions prior to 149.0.7827.53) allows unauthenticated remote attackers to display a misleading domain name in the browser UI by delivering a crafted domain to a victim. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) assigns High integrity impact, reflecting the ability to undermine a user's origin-trust decisions - the cornerstone of browser security. No public exploit code exists and EPSS sits at 0.03% (10th percentile), consistent with Google's own 'Low' Chromium severity rating; risk is realistic but non-urgent outside phishing-focused threat models.
Domain spoofing via Tab Strip UI misrepresentation in Google Chrome prior to 149.0.7827.53 enables remote unauthenticated attackers to deceive users into believing they are visiting a legitimate domain by serving a crafted HTML page that corrupts the displayed origin in the tab strip. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms network-accessible exploitation requiring no privileges but requiring user interaction, with integrity impact reflecting successful identity deception rather than data exfiltration or code execution. No public exploit code exists and EPSS at 0.03% (11th percentile) reflects negligible observed exploitation activity; this is not currently listed in the CISA KEV catalog.
UI spoofing in Google Chrome's PointerLock API prior to version 149.0.7827.53 allows an attacker who has already compromised the renderer process to manipulate browser UI presentation via a crafted HTML page. The CVSS score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects limited integrity-only impact with no confidentiality or availability consequences, and Google itself rated this 'Low' severity. No public exploit has been identified and the EPSS score of 0.05% (15th percentile) confirms very low real-world exploitation probability at time of analysis.
UI spoofing in Google Chrome's File Input component (versions prior to 149.0.7827.53) enables remote attackers to misrepresent security-critical interface elements to users through specially crafted HTML pages. The attacker must convince a target to perform specific UI gestures - such as drag-and-drop or deliberate click sequences - to trigger incorrect rendering of the browser's file selection security UI. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) signals very low exploitation probability, consistent with no CISA KEV listing.
Domain spoofing in Google Chrome's Cronet networking library on Android (versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent domain names to victims browsing on Android devices. The CVSS vector (AV:N/AC:L/PR:N/UI:R/I:H) confirms high integrity impact with no privileges required, contingent on victim interaction with a crafted URL. EPSS at 0.03% (11th percentile) and no CISA KEV listing indicate no public exploitation at time of analysis, making this primarily a targeted phishing-enablement risk rather than an actively weaponized vector.
Cross-origin data leakage in Google Chrome for iOS prior to version 149.0.7827.53 enables a remote unauthenticated attacker to read sensitive data from cross-origin resources by tricking a user into visiting a crafted HTML page. The flaw stems from an inappropriate implementation in the iOS-specific Chrome code path (CWE-346: Origin Validation Error), undermining the browser's Same-Origin Policy enforcement on Apple's platform. No public exploit code exists and no active exploitation is confirmed; with an EPSS of 0.03% (11th percentile), real-world risk is currently assessed as low despite the high confidentiality impact in the CVSS scoring.
Sandbox escape in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that abuses Reading Mode's insufficient input validation. The CVSS 9.6 rating reflects the scope-changing impact (S:C) when chained from a renderer compromise, though EPSS is very low (0.05%) and no public exploit identified at time of analysis. Chromium rates the underlying issue Medium severity, reflecting that prior renderer compromise is a prerequisite.
Sensitive information disclosure in Google Chrome's Passwords component (prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to read potentially sensitive data - including password material - from process memory by delivering a crafted HTML page. The attack carries a CVSS 6.5 (Medium) rating with high confidentiality impact and no integrity or availability consequence. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.03% (11th percentile), consistent with the non-trivial prerequisite of prior renderer compromise.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to break out of the browser's renderer sandbox by sending malicious network traffic processed by the Autofill component. The flaw is rated CVSS 9.6 due to scope change and high impact across confidentiality, integrity, and availability, though Chromium itself assigns it Medium severity and EPSS exploitation probability is currently very low (0.05%). No public exploit identified at time of analysis, but a vendor-released patch is available.
Cross-origin data leakage via ServiceWorker policy bypass in Google Chrome affects all desktop versions prior to 149.0.7827.53. Insufficient policy enforcement in Chrome's ServiceWorker API allows unauthenticated remote attackers to read sensitive cross-origin data from a victim's browser session by directing the victim to a crafted HTML page. EPSS exploitation probability is very low at 0.03% (11th percentile), no public exploit code has been identified, and no CISA KEV listing exists at time of analysis - making this a moderate confidentiality risk that warrants patching but is not an immediate emergency for most organizations.
Cross-origin data leakage in Google Chrome's GPU implementation on macOS allows remote unauthenticated attackers to exfiltrate sensitive cross-origin information by luring a user to a crafted HTML page. Affected are all Chrome releases on Mac prior to 149.0.7827.53. The vulnerability stems from an inappropriate GPU implementation (CWE-200) and carries no publicly available exploit at time of analysis; EPSS sits at 0.03% (11th percentile), indicating low current exploitation probability. No active exploitation has been confirmed by CISA KEV.
Sandbox escape in Google Chrome for iOS prior to 149.0.7827.53 allows a remote attacker who lures a victim to a malicious page to potentially break out of Chrome's renderer sandbox via crafted HTML. The flaw is rated CVSS 8.8 (High) due to high confidentiality, integrity, and availability impact, though Chromium internally classifies severity as Medium and EPSS exploitation probability is currently very low (0.05%). No public exploit identified at time of analysis.
Cross-origin data leakage in Google Chrome's WebRTC subsystem (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to read data across origin boundaries when a victim visits a crafted HTML page. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, but mandatory user interaction prevents automated mass exploitation - consistent with SSVC Automatable: no and an EPSS of 0.03% (10th percentile). No public exploit code exists and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
Cross-origin data leakage in Google Chrome's WebRTC implementation allows a network-positioned attacker to extract sensitive cross-origin information via crafted malicious network traffic. Affected versions are all Chrome releases prior to 149.0.7827.53; the fix is available in the stable channel update. No public exploit exists and no active exploitation has been identified - EPSS sits at 0.02% (4th percentile) and CISA SSVC assesses exploitation as none and automation as not feasible, placing real-world urgency well below the raw CVSS confidentiality impact suggests.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to break out of the browser's renderer sandbox by serving a crafted video file processed by Chrome's media codec stack. The flaw stems from insufficient validation of untrusted input in the Codecs component and requires the victim to load attacker-controlled video content, but successful exploitation yields cross-origin impact (Scope: Changed) with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 15th percentile), though the 9.6 CVSS rating and sandbox-escape primitive make this a high-priority browser patch.
Type confusion in Google Chrome's XML processing engine exposes process memory contents to remote attackers who can deliver a crafted XML file to a victim. Versions prior to 149.0.7827.53 are affected, with confidentiality impact rated High (C:H) despite an overall CVSS score of 6.5 due to the required user interaction. No public exploit code has been identified and EPSS stands at 0.03% (11th percentile), indicating low observed exploitation pressure; no KEV listing confirms active exploitation at this time.
Cross-origin data leakage in Google Chrome's MHTML implementation prior to version 149.0.7827.53 exposes sensitive user data to remote attackers via crafted HTML pages. The flaw stems from improper origin validation (CWE-346) in MHTML handling, allowing an attacker-controlled page to read data across origin boundaries - a significant breach of the browser's same-origin policy. Exploitation requires convincing a victim to perform specific UI gestures, and no public exploit or active exploitation has been identified at time of analysis; EPSS probability is very low at 0.03% (11th percentile).
Cross-origin data leakage in Google Chrome's Network implementation prior to version 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a victim to a crafted HTML page. Rooted in CWE-346 (Origin Validation Error), the flaw permits the Network component to expose data across origin boundaries that same-origin policy should protect. No public exploit code or active exploitation (CISA KEV) has been identified; EPSS of 0.03% (11th percentile) places real-world exploitation probability as very low at time of analysis.
UI spoofing in Google Chrome's Password Manager component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to manipulate the Password Manager's visual interface via crafted malicious network traffic, potentially deceiving users about credential prompts or password state. Exploitation requires user interaction (CVSS UI:R), limiting opportunistic mass exploitation. No public exploit code exists and no active exploitation is confirmed - EPSS sits at just 0.05% (15th percentile), consistent with a low-priority medium-severity browser component flaw. A vendor-released patch is available in Chrome 149.0.7827.53.
Out-of-bounds memory access in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to read or corrupt memory by luring a user to a crafted HTML page. The flaw carries a CVSS 8.8 rating due to high impact on confidentiality, integrity, and availability, though Chromium rates the security severity as Medium and EPSS is very low (0.03%). No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Out-of-bounds read in Chrome's GWP-ASan memory safety subsystem (versions prior to 149.0.7827.53) enables a local attacker to disclose potentially sensitive contents from process memory by delivering a malicious file to the target. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact but no integrity or availability impact, consistent with a pure information-disclosure class. No public exploit code has been identified at time of analysis, EPSS exploitation probability is extremely low at 0.01% (1st percentile), and SSVC assessment confirms no known active exploitation, collectively indicating a low near-term threat priority despite the notable confidentiality impact rating.