By vendor

Apple vulnerabilities

Known CVEs affecting Apple products, prioritized by severity, with SEC.co remediation and detection guidance.

108 published vulnerabilities · page 2 of 2

  • CVE-2026-11026MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how extensions are handled that allows an attacker to bypass built-in navigation restrictions. The vulnerability requires social engineering—an attacker must trick a user into installing a malicious Chrome extension. Once installed, the extension can circumvent the browser's navigation safeguards, potentially redirecting users to unintended destinations or enabling other attack chains. This is classified as a Medium severity issue by Chromium's security team.

  • CVE-2026-11027MEDIUM 6.5

    A vulnerability in Google Chrome's Glic component fails to properly validate untrusted input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data across website boundaries using a specially crafted webpage. The attacker needs initial renderer process compromise but then gains the ability to read data from sites the user visits, bypassing normal browser security boundaries.

  • CVE-2026-11032MEDIUM 6.5

    Google Chrome's Password Manager contained a flaw that could allow an attacker to trick users into visiting a malicious webpage and leak sensitive data from other websites the user visits. The vulnerability requires user interaction—visiting a crafted HTML page—but once triggered, could expose cross-origin information that should remain isolated between websites. This affects Chrome on Windows, macOS, and Linux systems.

  • CVE-2026-11033MEDIUM 6.5

    A memory initialization flaw in Chrome's WebML component on macOS allows attackers to steal sensitive data. When a user visits a malicious webpage, the browser may leak uninitialized memory contents—potentially exposing passwords, tokens, or other private information—without requiring any special user interaction beyond loading the page. The issue affects Chrome versions before 149.0.7827.53 on Apple's macOS.

  • CVE-2026-10916MEDIUM 6.1

    CVE-2026-10916 is a cross-site scripting vulnerability in Google Chrome's developer tools that allows an attacker to inject malicious scripts or HTML content into a webpage. The attack requires two conditions: first, the attacker must have already compromised Chrome's renderer process (the component that executes web content), and second, the user must be tricked into visiting a specially crafted HTML page. While the initial compromise is a significant prerequisite, once achieved, this vulnerability enables the attacker to execute arbitrary code with the privileges of the browser session, potentially stealing sensitive data or performing actions on behalf of the user.

  • CVE-2026-11004MEDIUM 5.3

    CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.

  • CVE-2026-11031MEDIUM 4.3

    Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.

  • CVE-2026-10998MEDIUM 4.0

    CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.