By vendor

Apple vulnerabilities

Known CVEs affecting Apple products, prioritized by severity, with SEC.co remediation and detection guidance.

249 published vulnerabilities · page 3 of 3

  • CVE-2026-11087MEDIUM 6.5

    A memory safety issue in Google Chrome's ANGLE graphics library allows an attacker who has already compromised the renderer process to steal sensitive data from other websites. The vulnerability requires user interaction (visiting a malicious web page) and affects Chrome on Windows, macOS, and Linux. The attacker gains read-only access to cross-origin data, meaning they cannot modify it or crash the browser, but confidentiality is at risk.

  • CVE-2026-11089MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a memory disclosure vulnerability in its media handling code. If an attacker gains control of Chrome's renderer process—the component responsible for displaying web content—they can craft a malicious HTML page to read uninitialized data from memory, potentially exposing sensitive information like passwords, encryption keys, or other confidential data. The vulnerability requires a prior compromise of the renderer, meaning it's typically chained with another exploit to be effective in the wild.

  • CVE-2026-11090MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the ANGLE graphics library that can be exploited to leak data across website boundaries. An attacker could craft a malicious webpage that, when visited, causes Chrome to inadvertently expose sensitive information from other origins a user has open. This requires user interaction (visiting the malicious page) but does not require special privileges. The vulnerability affects Windows, macOS, and Linux systems running vulnerable Chrome versions.

  • CVE-2026-11093MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles printing functionality that could allow an attacker who has already compromised Chrome's rendering engine to steal sensitive data from websites the user visits. The attacker would need to trick the user into visiting a malicious webpage after gaining control of the renderer process. This is a medium-severity issue because it requires an intermediate compromise and user interaction, but the potential for cross-origin data leakage makes it worth prompt attention.

  • CVE-2026-11096MEDIUM 6.5

    A memory reading flaw in Chrome's WebRTC component allows attackers to trick users into visiting a malicious webpage that steals sensitive data from the browser's memory. The vulnerability requires user interaction (clicking a link or visiting a site) but needs no special privileges, making it a practical attack vector for information theft. Google patched this in Chrome version 149.0.7827.53 and later.

  • CVE-2026-11104MEDIUM 6.5

    CVE-2026-11104 is a memory information disclosure flaw in ANGLE, a graphics abstraction library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read uninitialized memory and leak sensitive data. This is not a trivial attack—it requires the renderer to be compromised first—but once that foothold exists, the vulnerability can amplify the damage by exposing additional secrets from the browser process. Chrome versions before 149.0.7827.53 are vulnerable.

  • CVE-2026-11105MEDIUM 6.5

    A flaw in Google Chrome's WebUI component fails to properly validate user-supplied input, allowing an attacker who has already compromised Chrome's renderer process to trick the browser into leaking sensitive data from other websites. The vulnerability requires the renderer to be compromised first, which significantly limits the attack surface. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-11106MEDIUM 6.5

    A flaw in Google Chrome's media handling allows attackers to trick users into visiting a malicious web page that can steal private data from other websites the user has visited. The vulnerability requires user interaction—someone must click a link or visit the crafted page—but once they do, an attacker can bypass Chrome's normal security boundaries that keep websites isolated from each other. This affects Chrome on Windows, macOS, and Linux systems.

  • CVE-2026-11109MEDIUM 6.5

    A vulnerability in the ANGLE graphics library used by Google Chrome can leak sensitive data from websites you're viewing to an attacker. An attacker would need to trick you into visiting a specially crafted webpage, but requires no special browser extensions or user interaction beyond visiting the page. The vulnerability affects Chrome versions prior to 149.0.7827.53 on Windows, macOS, and Linux systems.

  • CVE-2026-11110MEDIUM 6.5

    A flaw in Google Chrome's graphics rendering engine (ANGLE) can leak sensitive data from websites you visit to attackers. The vulnerability exists in Chrome versions before 149.0.7827.53 and requires a user to click on or interact with a malicious webpage. When exploited, it exposes confidential information that should remain isolated between different websites.

  • CVE-2026-11121MEDIUM 6.5

    CVE-2026-11121 is a medium-severity vulnerability in Skia, the graphics rendering engine used by Google Chrome. The flaw involves improper validation of untrusted input that could allow an attacker who has already compromised the browser's renderer process to extract sensitive data across origin boundaries using a specially crafted web page. This is not an initial entry point into systems, but rather a post-compromise escalation vector that broadens the damage an attacker can do once inside the browser process.

  • CVE-2026-11123MEDIUM 6.5

    A flaw in ANGLE (the graphics abstraction layer used by Google Chrome) allows attackers to trick users into visiting a malicious website that reads sensitive information directly from Chrome's memory. The vulnerability was patched in Chrome version 149.0.7827.53. Because it requires user interaction (clicking a link or visiting a page), it's less critical than remotely exploitable flaws, but the memory disclosure risk—potentially exposing authentication tokens, cached data, or other secrets—warrants prompt patching.

  • CVE-2026-11128MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the Web Share feature that allows attackers to steal data from other websites. The vulnerability requires tricking a user into clicking or interacting with elements on a malicious webpage. Once triggered, an attacker can access information from cross-origin sources—essentially reading data they shouldn't have access to. This is a client-side issue affecting individual users rather than servers, and the bar for exploitation is user interaction on a crafted page.

  • CVE-2026-11129MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles extensions that could allow an attacker to steal sensitive data from websites you visit. An attacker would need to trick you into visiting a malicious webpage, but if successful, they could read information from other sites you have open—potentially including login credentials, private messages, or financial data. This is a medium-severity issue that affects Chrome on Windows, macOS, and Linux.

  • CVE-2026-11132MEDIUM 6.5

    A flaw in Chrome's Paint component allows attackers to bypass the same-origin policy—a fundamental browser security boundary—by tricking users into visiting a malicious webpage. The vulnerability affects Chrome versions before 149.0.7827.53. While an attacker cannot steal data directly through this weakness, they can modify or inject content in ways the browser should have blocked, potentially enabling follow-up attacks that compromise user sessions or inject malware. The flaw requires user interaction (visiting a crafted page) but is otherwise straightforward to exploit.

  • CVE-2026-11133MEDIUM 6.5

    A vulnerability in Google Chrome's Paint feature allows attackers to bypass the same-origin policy—a critical browser security boundary—through a specially crafted web page. An attacker could trick a user into visiting a malicious site and potentially access or modify content from another origin without permission. The vulnerability requires user interaction (clicking a link or visiting a page) but does not require special privileges. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-11134MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the Media component handles certain HTML content. An attacker can craft a malicious webpage that, when visited by a user, leaks sensitive data that should be restricted to one website (cross-origin data) to an attacker-controlled site. The vulnerability requires user interaction—the victim must visit the crafted page—but no special browser configuration or user privileges are needed. This is a confidentiality risk, not a data destruction or service disruption issue.

  • CVE-2026-11135MEDIUM 6.5

    Google Chrome's Autofill feature fails to properly enforce security policies, allowing attackers to trick users into bypassing security controls through specially crafted web pages. An attacker cannot steal data directly, but can manipulate what gets filled into form fields—potentially leading users to submit sensitive information to the wrong destination or trigger unintended actions. The vulnerability requires user interaction (clicking or interacting with the page) and affects Chrome versions before 149.0.7827.53.

  • CVE-2026-11137MEDIUM 6.5

    CVE-2026-11137 is a memory disclosure vulnerability in ANGLE, the graphics abstraction layer used by Google Chrome. A remote attacker can trick a user into visiting a specially crafted webpage that reads uninitialized memory from the Chrome process, potentially exposing sensitive data like passwords, tokens, or other information temporarily stored in RAM. The attack requires user interaction (clicking a link or visiting a malicious site) but no special privileges. This affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux.

  • CVE-2026-11138MEDIUM 6.5

    A memory initialization flaw in Google Chrome's ANGLE graphics component allows attackers to expose sensitive data across different websites when users visit a malicious webpage. An attacker would need to craft a specially designed HTML page and trick a user into viewing it; the vulnerability itself requires no special browser configuration and affects all major operating systems where Chrome runs.

  • CVE-2026-11139MEDIUM 6.5

    A flaw in Google Chrome's Paint implementation allows attackers to steal sensitive information from one website and expose it to another. An attacker can craft a specially designed web page that, when visited by a user, exploits this vulnerability to read data across security boundaries that browsers normally enforce. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction—the victim must visit the malicious page—but does not require special permissions or system access.

  • CVE-2026-11140MEDIUM 6.5

    A memory reading vulnerability in Google Chrome's Chromecast feature allows an attacker who has already compromised the browser's renderer process to steal sensitive data from the browser's memory by serving a specially crafted web page. The vulnerability requires the attacker to have control of the renderer—the component that displays websites—but once achieved, they can extract information without needing special privileges or modifying the page's normal function.

  • CVE-2026-11141MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the audio subsystem that can leak sensitive data from memory. An attacker who has already compromised the renderer process—the component that executes web content—can craft a malicious HTML page to read uninitialized memory and extract potentially confidential information. This requires an existing foothold in the renderer, making it a secondary-stage exploitation technique rather than a direct entry vector.

  • CVE-2026-11142MEDIUM 6.5

    A flaw in Google Chrome's Paint feature prior to version 149.0.7827.53 allows attackers to bypass the browser's same-origin policy through a maliciously crafted webpage. An attacker could trick a user into visiting their page and potentially access or manipulate content that should be isolated from other websites. The vulnerability requires user interaction but poses a meaningful integrity risk to web security boundaries.

  • CVE-2026-9882MEDIUM 6.5

    CVE-2026-9882 is a memory safety flaw in the ANGLE graphics library used by Google Chrome that allows attackers to steal data from websites you're visiting, provided they trick you into viewing a specially crafted web page. The vulnerability stems from an integer overflow—a programming error where a number wraps around unexpectedly—enabling unauthorized cross-origin data leakage. While the Chromium team rated this as "Critical," the CVSS base score of 6.5 reflects that successful exploitation requires user interaction (clicking or viewing content) and doesn't enable code execution or system-level damage. The flaw affects Chrome on Windows, macOS, and Linux systems.

  • CVE-2026-9953MEDIUM 6.5

    CVE-2026-9953 is a memory safety bug in the ANGLE graphics library used by Google Chrome that allows an attacker to read sensitive data from the browser process. An attacker can craft a malicious HTML page that, when visited by a user, exploits an out-of-bounds read to leak information like passwords, session tokens, or other confidential data stored in Chrome's memory. The vulnerability requires user interaction (clicking a link or visiting a page) but does not require special privileges and works across Windows, macOS, and Linux. Google has assigned it high severity within Chromium's security framework.

  • CVE-2026-9981MEDIUM 6.5

    A flaw in the Skia graphics rendering library within Google Chrome allows attackers to trick users into visiting malicious web pages that expose sensitive data from the browser's memory. The vulnerability requires user interaction (clicking a link or visiting a site) but needs no special privileges to exploit, making it a realistic threat to everyday Chrome users.

  • CVE-2026-9996MEDIUM 6.5

    A flaw in Google Chrome's WebRTC component allows a remote attacker to trick a user into visiting a malicious webpage that reads sensitive data from the browser's memory. The vulnerability affects Mac users running Chrome versions before 148.0.7778.216. No user action beyond visiting a crafted page is required for the attacker to attempt exploitation.

  • CVE-2026-9989MEDIUM 6.3

    Google Chrome contained a flaw in how it handles media files that allowed attackers to bypass the same-origin policy—a critical browser security boundary. An attacker could craft a malicious video file that, when opened by a user in Chrome, would enable unauthorized access to sensitive data from other websites the user was visiting. The vulnerability requires user interaction (clicking a link or opening a file) but does not require special privileges or complex attack setup.

  • CVE-2026-10916MEDIUM 6.1

    CVE-2026-10916 is a cross-site scripting vulnerability in Google Chrome's developer tools that allows an attacker to inject malicious scripts or HTML content into a webpage. The attack requires two conditions: first, the attacker must have already compromised Chrome's renderer process (the component that executes web content), and second, the user must be tricked into visiting a specially crafted HTML page. While the initial compromise is a significant prerequisite, once achieved, this vulnerability enables the attacker to execute arbitrary code with the privileges of the browser session, potentially stealing sensitive data or performing actions on behalf of the user.

  • CVE-2026-11122MEDIUM 6.1

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the keyboard input handler processes certain HTML page elements. An attacker can craft a malicious webpage that, when visited by an unsuspecting user, injects arbitrary scripts or HTML content that executes in a security context where it shouldn't be allowed—a technique called Uniform Cross-Site Scripting (UXSS). This bypasses the browser's same-origin policy protections that normally prevent cross-domain attacks. The vulnerability requires user interaction (clicking or viewing the page) but affects all major platforms where Chrome runs.

  • CVE-2026-11150MEDIUM 6.1

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser processes XML within HTML pages. An attacker can craft a malicious webpage that, when visited, injects arbitrary scripts or HTML content that execute in the context of unrelated sites (a technique known as Universal Cross-Site Scripting or UXSS). This bypasses the same-origin policy that normally prevents one site from accessing data or performing actions on another. The vulnerability requires user interaction—a victim must visit the attacker's page—but does not require any special browser configuration or user privileges to trigger.

  • CVE-2026-9971MEDIUM 5.4

    A vulnerability in Google Chrome on iOS allows attackers to inject malicious scripts or HTML code into web pages when a user performs specific interactions with the browser. An attacker would need to craft a deceptive webpage and convince a user to engage with it in particular ways—such as specific taps or gestures—to trigger the injection. Once successful, the attacker gains the ability to run arbitrary code in the context of the webpage, potentially stealing data or modifying what the user sees.

  • CVE-2026-11004MEDIUM 5.3

    CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.

  • CVE-2026-11098MEDIUM 5.3

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in GPU handling that allows an attacker with control of the renderer process to extract sensitive data from other websites. The vulnerability requires user interaction and a compromised renderer, making it a targeted risk rather than a mass-exploitation vector. The issue stems from insufficient validation when processing untrusted input, permitting cross-origin information disclosure.

  • CVE-2026-9942MEDIUM 5.0

    CVE-2026-9942 is a memory safety issue in ANGLE, the graphics abstraction layer used by Google Chrome. When a remote attacker has already compromised Chrome's renderer process, they can exploit this uninitialized memory condition to break out of Chrome's site isolation sandbox using a specially crafted HTML page. Site isolation is Chrome's primary defense against cross-site data theft; bypassing it allows an attacker to read data from other websites the user is visiting. This requires the renderer process to be already compromised, meaning it is a post-compromise escalation rather than an entry point.

  • CVE-2026-9979MEDIUM 5.0

    CVE-2026-9979 is a site isolation bypass vulnerability in Google Chrome that allows an attacker to escape the security boundary between different websites if they have already compromised Chrome's rendering engine. An attacker would need to trick a user into visiting a malicious HTML page while the renderer process is already under their control. Site isolation is Chrome's core defense mechanism that prevents one website's scripts from accessing another website's data; this vulnerability undermines that protection in a limited but serious scenario.

  • CVE-2026-9980MEDIUM 5.0

    Google Chrome versions before 148.0.7778.216 contain a flaw in how it validates input when printing documents. An attacker who has already compromised Chrome's rendering engine can exploit this to bypass Site Isolation, a security boundary that separates data between websites. This requires both a prior compromise of the renderer process and user interaction, making it a secondary attack in a chain rather than a standalone entry point.

  • CVE-2026-11031MEDIUM 4.3

    Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.

  • CVE-2026-11062MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a vulnerability in how it enforces policies on browser extensions. An attacker could create a malicious extension that, if installed by a user, would be able to inject malicious scripts or HTML code into sensitive browser pages. While the technical barrier is relatively low (it requires social engineering to trick a user into installing the extension), the impact is limited to tampering with page content rather than stealing data or causing system crashes.

  • CVE-2026-11107MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles the Downloads feature that allows an attacker to trick users with a deceptive webpage. Specifically, an attacker could craft a malicious HTML page that, when viewed in an affected Chrome browser, would display fake or misleading interface elements to deceive users—a technique called UI spoofing. The vulnerability requires user interaction (visiting the malicious page) but does not compromise confidentiality or system availability; the primary risk is deception around the integrity of what the user sees on their screen.

  • CVE-2026-11126MEDIUM 4.3

    A flaw in Google Chrome's Developer Tools (DevTools) allows an attacker to access data from different websites if they can trick a user into installing a malicious browser extension. The vulnerability has a CVSS score of 4.3 (Medium severity) and requires user interaction—specifically, the user must be convinced to install the malicious extension. Once installed, the crafted extension can exploit improper input validation in DevTools to leak cross-origin data that should normally be protected by browser security policies.

  • CVE-2026-9930MEDIUM 4.3

    An out-of-bounds write vulnerability exists in the Dawn graphics component of Google Chrome on macOS. An attacker can craft a malicious HTML page that, when viewed by a user, writes data to memory locations outside the intended bounds of a buffer. This memory corruption could allow an attacker to modify sensitive data or potentially achieve code execution, though the CVSS assessment indicates the integrity impact is limited. The vulnerability requires user interaction—the victim must visit or be directed to the malicious page—and affects Chrome versions prior to 148.0.7778.216 on macOS.

  • CVE-2026-9935MEDIUM 4.3

    CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.

  • CVE-2026-9955MEDIUM 4.3

    A vulnerability in Google Chrome on iOS versions before 148.0.7778.216 allows attackers to extract sensitive information from websites the user visits. An attacker would craft a malicious webpage and trick a user into visiting it; the page can then read data intended to be private to other websites. This is a cross-origin data leak—a violation of the browser's same-origin policy that normally prevents websites from accessing each other's information.

  • CVE-2026-9986MEDIUM 4.2

    CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.

  • CVE-2026-10998MEDIUM 4.0

    CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.

  • CVE-2026-9944LOW 3.1

    CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.

  • CVE-2026-9950LOW 3.1

    A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.