Skip to main content

Google

Vendor security scorecard – 2881 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 9040
2881
CVEs
236
Critical
1321
High
10
KEV
112
PoC
293
Unpatched C/H
78.0%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
236
HIGH
1321
MEDIUM
1155
LOW
151

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-3910 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-11645 Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-3909 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. HIGH 8.8 0.1% 119
KEV PoC
CVE-2026-5281 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. HIGH 8.8 0.0% 119
KEV PoC
CVE-2026-2441 Google Chrome's CSS engine contains a use-after-free vulnerability (CVE-2026-2441, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox through crafted HTML pages. KEV-listed with public PoC, this vulnerability enables drive-by exploitation when users visit malicious or compromised websites. HIGH 8.8 0.1% 114
KEV PoC
CVE-2025-10585 Google Chrome V8 JavaScript engine contains a type confusion vulnerability enabling heap corruption through crafted HTML pages, exploited in the wild in June 2025. CRITICAL 9.8 0.7% 100
KEV
CVE-2025-13223 Google Chrome V8 contains a type confusion vulnerability in the JavaScript engine, the second V8 type confusion zero-day in 2025, exploited in targeted attacks. HIGH 8.8 2.5% 97
KEV
CVE-2025-48572 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. HIGH 7.8 0.2% 89
KEV No patch
CVE-2025-12139 The File Manager for Google Drive - Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 22.0% and no vendor patch available. HIGH 7.5 22.0% 80
PoC No patch
CVE-2025-48633 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. MEDIUM 5.5 0.2% 78
KEV
CVE-2025-11307 The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. HIGH 8.8 7.0% 71
PoC No patch
CVE-2025-59834 ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. CRITICAL 9.8 1.2% 70
PoC
CVE-2026-8181 Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing. CRITICAL 9.8 0.3% 69
PoC No patch
CVE-2026-42589 Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact. CRITICAL 9.8 0.1% 69
PoC
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. CRITICAL 9.3 0.4% 67
PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy