Skip to main content

Google

Vendor security scorecard – 2257 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 7004
2257
CVEs
209
Critical
1060
High
5
KEV
53
PoC
135
Unpatched C/H
87.7%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
209
HIGH
1060
MEDIUM
886
LOW
96

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-3910 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-11645 Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-3909 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-5281 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. HIGH 8.8 0.0% 119
KEV PoC
CVE-2026-2441 Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. HIGH 8.8 0.1% 114
KEV PoC
CVE-2026-8181 Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing. CRITICAL 9.8 0.3% 69
PoC No patch
CVE-2026-42589 Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact. CRITICAL 9.8 0.1% 69
PoC
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. CRITICAL 9.3 0.4% 67
PoC
CVE-2026-4810 Remote code execution in Google Agent Development Kit (ADK) versions 1.7.0-1.28.0 and 2.0.0a1 allows unauthenticated remote attackers to execute arbitrary code on ADK server instances via combined code injection and missing authentication flaws. Affects Python OSS deployments, Cloud Run, and GKE environments. CVSS 9.3 critical severity with proof-of-concept code available (CVSS:4.0 E:P). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though the authentication bypass combined with RCE presents extreme risk for exposed instances. CRITICAL 9.3 0.3% 67
PoC
CVE-2026-54069 Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chrome/Chromium browser extension obtain RoleAdministrator access to the local kernel HTTP server at 127.0.0.1:6806. Because the kernel unconditionally trusts all chrome-extension:// origins and desktop installs ship with an empty AccessAuthCode by default, a malicious or supply-chain-compromised extension can issue fully authenticated admin API calls with no further authentication, enabling data exfiltration, stored XSS injection, and configuration tampering. Publicly available exploit code exists; there is no public exploit identified as actively exploited. CRITICAL 9.2 0.6% 67
PoC
CVE-2026-33186 An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data. CRITICAL 9.1 0.0% 66
PoC
CVE-2026-4092 Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations. HIGH 8.7 1.0% 65
PoC
CVE-2019-25745 WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.8 0.1% 64
PoC No patch
CVE-2018-25326 Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.7 0.5% 64
PoC No patch
CVE-2019-25605 EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.7 0.0% 64
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy