210
CVEs
13
Critical
85
High
3
KEV
23
PoC
17
Unpatched C/H
75.7%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
13
HIGH
85
MEDIUM
53
LOW
19
Monthly CVE Trend
Affected Products (30)
Android
746
Chrome
372
Memory Corruption
244
Use After Free
147
Linux Kernel
101
Ubuntu
74
PHP
54
Windows
42
Heap Overflow
40
Java
28
Race Condition
27
Edge Chromium
25
Debian Linux
21
Yocto
21
Openwrt
20
Null Pointer Dereference
20
iOS
19
macOS
18
Firefox
16
Integer Overflow
15
Rdk B
12
Open Redirect
10
Docker
9
Python
9
AI / ML
8
Software Development Kit
8
Stack Overflow
8
Chrome Os
7
Deserialization
6
Command Injection
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-3910 | Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-3909 | Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | HIGH | 8.8 | 0.1% | 119 |
KEV
PoC
|
| CVE-2026-5281 | Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | HIGH | 8.8 | 0.0% | 119 |
KEV
PoC
|
| CVE-2026-32635 | A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-4229 | SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability. | HIGH | 7.3 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-32731 | Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments. | CRITICAL | 9.9 | 0.1% | 50 |
|
| CVE-2026-3535 | Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-4755 | A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-33976 | Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory. | CRITICAL | 9.6 | 0.1% | 48 |
No patch
|
| CVE-2026-5289 | Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-5290 | Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-5874 | Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%). | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-5288 | Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-33992 | PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8. | CRITICAL | 9.3 | 0.1% | 47 |
|
| CVE-2026-5470 | Server-side request forgery in mixelpixx Google-Research-MCP allows authenticated remote attackers to craft malicious URLs passed to the extractContent function, enabling them to make arbitrary HTTP requests from the affected server. The vulnerability affects the Model Context Protocol Handler component, has a publicly available exploit, and receives a CVSS 5.3 score with moderate exploitation likelihood. The vendor has not responded to disclosure attempts, and the project uses rolling releases, making patch tracking difficult. | MEDIUM | 5.3 | 0.0% | 47 |
PoC
No patch
|