By weakness (CWE)

CWE-346: related vulnerabilities

CVEs classified under CWE-346. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

6 published vulnerabilities

  • CVE-2026-10937MEDIUM 6.5

    CVE-2026-10937 is a same-origin policy bypass vulnerability in Google Chrome's password handling logic. An attacker can craft a malicious HTML page that, when visited by a user, exploits an implementation flaw to circumvent Chrome's same-origin policy protections. This could allow unauthorized script execution or data access across domain boundaries, though the actual impact depends on how the flaw is chained with other browser capabilities. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction to trigger.

  • CVE-2026-10996MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a vulnerability in how Web Workers are implemented that could allow an attacker to bypass the same-origin policy—a fundamental browser security boundary. An attacker could craft a malicious HTML page that, when visited by a user, potentially accesses or modifies content from other websites in the victim's browser session. This requires user interaction (visiting the crafted page) but does not require any special browser features to be enabled.

  • CVE-2026-11020MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles extensions that process XML files. An attacker can craft a malicious XML file that, when processed by a vulnerable extension, leaks sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the user must open or interact with the malicious file—but does not require the attacker to have special privileges or bypass additional security controls. This is a cross-origin data leak, meaning information intended to be isolated between websites can be extracted by an attacker.

  • CVE-2026-11032MEDIUM 6.5

    Google Chrome's Password Manager contained a flaw that could allow an attacker to trick users into visiting a malicious webpage and leak sensitive data from other websites the user visits. The vulnerability requires user interaction—visiting a crafted HTML page—but once triggered, could expose cross-origin information that should remain isolated between websites. This affects Chrome on Windows, macOS, and Linux systems.

  • CVE-2026-34460MEDIUM 5.4

    NamelessMC, a website platform for Minecraft servers, contains a vulnerability in how it handles OAuth authentication callbacks. When a user logs in via OAuth (a third-party authentication method), the application fails to verify a security token called a 'state parameter' before accepting the login. An attacker can exploit this by crafting a malicious link that tricks a victim into logging in with the attacker's own account credentials. Once clicked, the victim's session becomes authenticated as the attacker, potentially granting unauthorized access to the victim's account on that NamelessMC instance. The vulnerability affects NamelessMC versions 2.2.4 and earlier.

  • CVE-2026-10010MEDIUM 5.0

    Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.