By weakness (CWE)
CWE-602: related vulnerabilities
CVEs classified under CWE-602. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
5 published vulnerabilities
- CVE-2026-11011HIGH 8.1
A flaw in Google Chrome's Password Manager allows an attacker who has already compromised the browser's renderer process to sidestep site isolation—a critical security boundary that prevents one website from accessing data belonging to another. By crafting a malicious HTML page, the attacker could potentially access sensitive information across different sites. This vulnerability affects Chrome versions before 149.0.7827.53 and requires the attacker to first gain control of the renderer process, which typically happens through a separate exploit or malicious website.
- CVE-2026-11014MEDIUM 6.5
Google Chrome versions before 149.0.7827.53 contain a vulnerability where insufficient policy enforcement in the extension system allows a malicious extension to circumvent Site Isolation—Chrome's security boundary that prevents one website from accessing another's data. An attacker must first convince a user to install the malicious extension, but once installed, the extension can read or modify data across websites that the user visits, potentially exposing sensitive information.
- CVE-2026-11018MEDIUM 6.5
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces navigation policies. An attacker can craft a malicious HTML page that, when visited, tricks Chrome into allowing navigation to restricted destinations that should normally be blocked. The vulnerability requires user interaction—a person must visit the hostile page—but no special privileges are needed on the attacker's side. The core risk is integrity: an attacker can redirect you to unwanted sites, potentially enabling phishing, malware distribution, or social engineering attacks.
- CVE-2026-11025MEDIUM 6.5
Google Chrome on Android contains a flaw in how it enforces content security policies (CSP) during navigation. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute unintended content within a page that should be restricted. The vulnerability requires user interaction (visiting a malicious site) and affects Chrome versions before 149.0.7827.53 on Android devices.
- CVE-2026-42329MEDIUM 4.7
Iris, a web platform used by incident responders to collaborate and share technical details during security investigations, contains an open redirect vulnerability in versions before 2.4.28. An attacker can craft a malicious link within the application that tricks users into visiting an external website under the attacker's control. This is a social engineering risk rather than a direct system compromise—the attack depends on user interaction and targets the trust users place in links shared within their incident response platform.