By weakness (CWE)
CWE-20: related vulnerabilities
CVEs classified under CWE-20. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
119 published vulnerabilities · page 2 of 2
- CVE-2026-9980MEDIUM 5.0
Google Chrome versions before 148.0.7778.216 contain a flaw in how it validates input when printing documents. An attacker who has already compromised Chrome's rendering engine can exploit this to bypass Site Isolation, a security boundary that separates data between websites. This requires both a prior compromise of the renderer process and user interaction, making it a secondary attack in a chain rather than a standalone entry point.
- CVE-2026-11233MEDIUM 4.7
CVE-2026-11233 is a same-origin policy bypass vulnerability in Google Chrome's FoldableAPIs feature. An attacker who has already gained control of Chrome's renderer process—the component that executes web page code—can use a specially crafted HTML page to break through Chrome's security boundary and access data from websites the user visits. This requires the attacker to have already compromised the renderer, making it a secondary exploit rather than a direct entry point. The vulnerability affects Chrome versions prior to 149.0.7827.53.
- CVE-2026-3620MEDIUM 4.4
The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.
- CVE-2026-11031MEDIUM 4.3
Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.
- CVE-2026-11126MEDIUM 4.3
A flaw in Google Chrome's Developer Tools (DevTools) allows an attacker to access data from different websites if they can trick a user into installing a malicious browser extension. The vulnerability has a CVSS score of 4.3 (Medium severity) and requires user interaction—specifically, the user must be convinced to install the malicious extension. Once installed, the crafted extension can exploit improper input validation in DevTools to leak cross-origin data that should normally be protected by browser security policies.
- CVE-2026-11192MEDIUM 4.3
Google Chrome's password manager has a flaw that fails to properly check information coming from the network. An attacker can exploit this by sending crafted network traffic to trick the browser's UI into displaying fake or misleading content—for example, mimicking legitimate login prompts or security warnings. The attacker cannot steal data or crash the browser, but they can manipulate what users see, potentially leading to credential theft or social engineering attacks if the spoofed interface convinces users to enter sensitive information.
- CVE-2026-11221MEDIUM 4.3
A weakness in Google Chrome's PointerLock feature allows a threat actor who has already gained control of the browser's renderer process to deceive users through fake on-screen elements. The attacker would craft a malicious HTML page that tricks the browser into displaying misleading UI, potentially impersonating legitimate interface elements. This requires the renderer process to be compromised first, making it a secondary attack that typically follows another successful exploit.
- CVE-2026-11259MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how the Cast feature validates user-supplied input. This allows an attacker to craft a malicious webpage that, when visited, can bypass Chrome's same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites. The attack requires user interaction (visiting the page) but requires no special privileges. While Chromium rates the underlying severity as Low, the ability to circumvent same-origin policy elevates practical risk.
- CVE-2026-11261MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles PDF rendering that could allow an attacker to trick users into believing they're viewing legitimate content when they're not. If an attacker has already compromised Chrome's rendering engine (the component that displays web pages), they can craft a specially designed HTML page to perform UI spoofing—making fake buttons, warnings, or other interface elements appear authentic. This is a medium-severity issue because it requires both a prior compromise of the renderer process and user interaction to be exploited.
- CVE-2026-11280MEDIUM 4.3
A flaw in Google Chrome's sign-in interface on iOS allows an attacker to trick users with a fake login screen. By crafting a malicious web page, an attacker could make it appear that a legitimate Chrome sign-in prompt is appearing, potentially deceiving users into entering credentials or sensitive information. The vulnerability requires user interaction—visiting a crafted page—but does not require authentication or special privileges to attempt. While Google classifies this at low severity internally, the CVSS score reflects medium risk due to the integrity impact of potential credential theft or trust erosion.
- CVE-2026-11286MEDIUM 4.3
A flaw in Google Chrome's Wallet component allows attackers who have already compromised a browser's renderer process to trick users with fake UI elements displayed on a web page. This requires the attacker to first gain control of the renderer—the part of the browser that displays web content—which is a significant prerequisite but not impossible in real-world scenarios where other vulnerabilities or social engineering may be chained together.
- CVE-2026-9986MEDIUM 4.2
CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.
- CVE-2026-30963LOW 3.9
Capsule is a Kubernetes framework that uses webhooks to prevent tenant administrators from hijacking namespaces—essentially taking control of cluster resources they shouldn't own. The framework checks most update requests, but it misses two specific APIs (namespace/status and namespace/finalize subresources) that can also change namespace ownership markers. Before version 0.13.0, a tenant admin with permission to use these subresources could bypass the webhook protection and seize a namespace. Version 0.13.0 patches this gap by ensuring the webhook intercepts both subresource types.
- CVE-2026-11240LOW 3.1
CVE-2026-11240 is a low-severity input validation flaw in Google Chrome's Loader component that allows a remote attacker to bypass the browser's site isolation security feature, but only if they have already compromised the renderer process. Site isolation is Chrome's defense mechanism that runs each website in a separate process to prevent one compromised site from accessing data from another. An attacker would need to deliver a specially crafted HTML page to exploit this, making it a post-compromise risk rather than a direct remote code execution vector. The vulnerability affects Chrome versions prior to 149.0.7827.53.
- CVE-2026-11244LOW 3.1
CVE-2026-11244 is a low-severity flaw in Google Chrome's WebAuthentication feature that allows inadequate validation of user-supplied input. An attacker with prior access to Chrome's renderer process—the component responsible for displaying web pages—could craft a malicious HTML page to circumvent the browser's same-origin policy, a fundamental security boundary that prevents scripts from one website accessing data from another. This is not a direct remote code execution and requires both renderer process compromise and user interaction to succeed.
- CVE-2026-11251LOW 3.1
A flaw in Chrome's password manager allows a sophisticated attacker to read stored password information if they can first compromise Chrome's renderer process through a malicious web page. The vulnerability requires multiple conditions to exploit: the attacker must already control the rendering engine, the user must interact with the page, and the attack surface is limited to sensitive credential disclosure. Chrome versions before 149.0.7827.53 are affected. This is not a zero-click issue and does not allow code execution or system-level access.
- CVE-2026-9950LOW 3.1
A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.
- CVE-2026-44367LOW 2.7
Klaw, a Kafka topic management and governance platform, contains a vulnerability in how it handles usernames during registration and login. The system doesn't consistently apply case sensitivity rules—treating 'Admin' and 'admin' as different or the same depending on the operation—which allows authenticated users with administrative privileges to deliberately lock out accounts or trigger denial of service conditions. This is a low-severity issue requiring administrative access to exploit, but it can impact operational availability if administrators use it maliciously or if the inconsistency is exploited in targeted attacks. The flaw was fixed in version 2.10.4.
- CVE-2026-45076LOW 2.7
Synapse, an open-source Matrix homeserver implementation used for federated messaging, contains a flaw in how it handles room history in cross-server deployments. Malicious homeservers can craft specially formed room events that cause Synapse instances to withhold historical messages from clients requesting older conversation data. Users may see incomplete chat histories or missing messages when paginating through room archives. This is a low-severity issue because it requires a compromised or malicious federated peer and affects data availability rather than confidentiality or integrity.