By weakness (CWE)
CWE-290: related vulnerabilities
CVEs classified under CWE-290. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
3 published vulnerabilities
- CVE-2026-42674HIGH 7.5
The Advanced Access Manager (AAM) plugin contains a vulnerability that allows attackers to bypass authentication by spoofing requests through URL encoding techniques. An attacker can craft specially encoded URLs to circumvent access controls without needing valid credentials, potentially gaining unauthorized access to protected resources. This affects AAM versions up through 7.1.0.
- CVE-2026-11001MEDIUM 6.5
Google Chrome versions before 149.0.7827.53 contain a flaw in the Payments feature that allows attackers to create a fake user interface through a specially crafted webpage. To exploit this, an attacker would need to trick a user into performing specific interactions—such as clicks or gestures—on the malicious page. The attack does not steal data or crash the browser, but instead deceives the user by making the browser display content that appears to come from a trusted source, when it actually originates from the attacker. This is a medium-severity issue that depends on user interaction to succeed.
- CVE-2026-11019MEDIUM 6.5
A vulnerability in Google Chrome's payments implementation on Android allows an attacker who has already compromised the browser's rendering engine to trick users into believing they are interacting with a legitimate website when they are actually on a fraudulent one. The attacker would craft a deceptive HTML page that spoofs the domain name displayed to the user, potentially leading to credential theft, payment fraud, or other social engineering attacks. This requires an initial compromise of the renderer process, which limits the immediate exposure but represents a serious escalation risk once that initial foothold is established.