By weakness (CWE)
CWE-451: related vulnerabilities
CVEs classified under CWE-451. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
8 published vulnerabilities
- CVE-2019-25718HIGH 8.4
The Dräger Infinity Explorer C700, a patient monitor interface device, contains a vulnerability that allows an attacker with local access to break out of its restricted kiosk environment and gain full control of the underlying operating system. Once escaped from kiosk mode, an attacker can manipulate the device's display, causing it to show incorrect patient data or no data at all—a serious concern in clinical settings where accurate vital sign monitoring is critical to patient safety.
- CVE-2026-0088HIGH 7.8
A flaw in Android's certificate installer component allows a malicious app with basic system privileges to bypass security dialogs that normally protect sensitive operations. By exploiting misleading UI presentation, an attacker can escalate their permissions without user knowledge or interaction. The vulnerability is particularly dangerous because it requires no special execution rights—a standard app can trigger it.
- CVE-2026-0093HIGH 7.8
CVE-2026-0093 is a local privilege escalation vulnerability affecting Google Android. The flaw stems from misleading user interface elements that obscure the true nature of certain operations, potentially tricking users into granting elevated permissions. An attacker with local access to the device can exploit this weakness to escalate privileges without needing special system permissions beforehand, and notably, without requiring any user interaction during the actual exploitation phase. The vulnerability allows an attacker to read, modify, or delete sensitive data and potentially take control of affected system functions.
- CVE-2026-0094HIGH 7.8
A flaw in Android's KeyChain component allows a local attacker with user-level privileges to manipulate the certificate approval interface in a way that tricks the system into granting access to certificates without explicit user consent. The vulnerability stems from misleading or incomplete UI messaging in the getApplicationLabel function, enabling privilege escalation entirely through local interaction. No special permissions or user action is required to exploit it once initiated.
- CVE-2026-0096HIGH 7.8
CVE-2026-0096 is a local privilege escalation vulnerability in Android's ForgetDeviceDialogFragment that allows an attacker with local access to manipulate or bypass a device-forget confirmation flow due to misleading UI elements. The vulnerability requires no user interaction to exploit and can result in unauthorized privilege escalation on the affected device.
- CVE-2026-11001MEDIUM 6.5
Google Chrome versions before 149.0.7827.53 contain a flaw in the Payments feature that allows attackers to create a fake user interface through a specially crafted webpage. To exploit this, an attacker would need to trick a user into performing specific interactions—such as clicks or gestures—on the malicious page. The attack does not steal data or crash the browser, but instead deceives the user by making the browser display content that appears to come from a trusted source, when it actually originates from the attacker. This is a medium-severity issue that depends on user interaction to succeed.
- CVE-2026-11019MEDIUM 6.5
A vulnerability in Google Chrome's payments implementation on Android allows an attacker who has already compromised the browser's rendering engine to trick users into believing they are interacting with a legitimate website when they are actually on a fraudulent one. The attacker would craft a deceptive HTML page that spoofs the domain name displayed to the user, potentially leading to credential theft, payment fraud, or other social engineering attacks. This requires an initial compromise of the renderer process, which limits the immediate exposure but represents a serious escalation risk once that initial foothold is established.
- CVE-2026-10984MEDIUM 5.4
Google Chrome on Android contains a flaw in how it handles accessibility features that allows attackers to trick users with a fake interface. By hosting a malicious webpage, an attacker can make Chrome display misleading or fraudulent content that mimics legitimate UI elements, potentially deceiving users into performing unintended actions. The vulnerability requires user interaction—specifically, a user must visit the crafted page—but does not require special privileges or complex setup.