By year
Vulnerabilities disclosed in 2026
CVEs published in 2026 with SEC.co analysis.
2448 published vulnerabilities · page 22 of 25
- CVE-2026-36180MEDIUM 4.6
GNCC GP5 version 7.1.76 has a security weakness that allows an attacker with physical access to the machine to temporarily modify read-only system files and binaries during a single boot session. The vulnerability exploits bind-mount mechanisms—a Linux/Unix filesystem technique—to circumvent protections meant to keep critical system files locked down. While the attacker needs to be physically present and the changes only persist until reboot, this represents a meaningful integrity risk for systems in shared, controlled, or potentially hostile physical environments.
- CVE-2026-45153MEDIUM 4.6
Nextcloud Files app on Android has a PIN bypass vulnerability affecting versions 33.0.0 through 33.0.x. An attacker with physical access to an unlocked Android device can use the back button to circumvent the app's PIN protection and gain unauthorized access to files stored in the Nextcloud app. This is a local attack requiring the device to already be unlocked, but it effectively neutralizes the app-level security control that would normally protect sensitive files even if the phone falls into the wrong hands.
- CVE-2026-45284MEDIUM 4.6
Nextcloud's OIDC (OpenID Connect) user authentication module contains a flaw that allows deleted LDAP users to continue authenticating to the system. When an organization uses both LDAP and OIDC for user management, deletion of a user from LDAP does not properly prevent that user from logging in via OIDC. This creates an unintended persistence of access for users who should no longer have system privileges. The issue affects Nextcloud versions 1.3.6 through 8.3.x and has been resolved in version 8.4.0.
- CVE-2026-49316MEDIUM 4.6
A vulnerability in the 2025 Indian Motorcycle Scout Bobber + Tech model allows someone with access to the motorcycle's wireless network to disable anti-theft protections and operate the vehicle without proper authorization. An attacker can manipulate error messages on the motorcycle's internal communication system (CAN bus) to silence the Wireless Control Module, which normally enforces shutdown commands tied to the immobilizer. Once this module stops communicating, other systems on the motorcycle treat its silence as normal rather than a security event, leaving the bike vulnerable to theft despite the immobilizer lock never being engaged.
- CVE-2026-49324MEDIUM 4.6
A vulnerability in the Wireless Control Module of the 2025 Indian Motorcycle Scout Bobber + Tech allows someone with access to the bike's internal network to permanently disable it. By sending a small number of specially crafted wireless messages, an attacker can trigger a lockout on the motorcycle's immobilizer system—the security mechanism that prevents unauthorized starting. Unlike typical lockouts that reset when you power cycle the device, this one persists even after restarting the bike, leaving owners unable to start their motorcycle until they visit a dealer for service.
- CVE-2026-49325MEDIUM 4.6
Indian Motorcycle's 2025 Scout Bobber + Tech model contains a physical security flaw in its anti-theft system. An attacker with access to the motorcycle's Wireless Control Module (WCM) wiring harness can disconnect a specific wire pair to bypass the PIN-protected shutdown mechanism, leaving the bike fully operational and vulnerable to theft. The vulnerability exploits a gap in how the motorcycle's engine control unit (ECU) validates shutdown signals—it cannot tell the difference between a legitimate shutdown command and a severed wire.
- CVE-2026-0410MEDIUM 4.5
CVE-2026-0410 is a privilege-escalation vulnerability affecting Netgear routers. An authenticated administrator already connected to the local network can exploit improper input validation to gain elevated access and modify router firmware and settings without authorization. The vulnerability requires the attacker to already have valid admin credentials and local network access, which limits the practical threat surface but poses significant risk in environments where router access controls are not tightly managed.
- CVE-2026-0412MEDIUM 4.5
A vulnerability in NETGEAR JR6150 routers allows someone with administrative access on the local network to modify the router's software and settings without proper authorization. The issue stems from inadequate validation of user input. This router model is quite old—released in 2014 and no longer supported by NETGEAR as of 2018—meaning no security patches will be issued. The vulnerability was discovered through controlled testing of the device's firmware in a lab environment, not on actual deployed hardware.
- CVE-2026-0413MEDIUM 4.5
A buffer overflow flaw in NETGEAR Orbi mesh router firmware allows authenticated administrators on the local network to modify router software and functionality without authorization. The vulnerability stems from insufficient input validation, meaning an admin account could inject malicious data that overwrites system memory. While exploitation requires valid administrative credentials and local network access, the ability to alter router firmware represents a serious integrity compromise.
- CVE-2026-0414MEDIUM 4.5
NETGEAR has a vulnerability in certain router models that allows authenticated administrators on the local network to bypass input validation controls and modify the router's software and core functionality without proper authorization checks. While the attacker must already have administrative credentials and be connected locally, the lack of proper validation on modification requests means an insider threat or compromised admin account could alter router behavior in ways the organization doesn't intend or expect.
- CVE-2026-0415MEDIUM 4.5
A validation flaw in NETGEAR Orbi and Nighthawk mesh router firmware allows authenticated administrators on the local network to modify router software and settings without proper authorization checks. While the attacker must already have admin credentials and network access, the insufficient input validation creates a pathway to alter router functionality in unintended ways. This is a medium-severity issue affecting a broad range of NETGEAR mesh and satellite models.
- CVE-2026-0416MEDIUM 4.5
NETGEAR has identified a vulnerability affecting their RAX Wi-Fi 6 router models (RAXE450 and RAXE500) in which an authenticated administrator on the local network can send specially crafted input through the management interface to bypass built-in security controls. This could allow the attacker to modify the router's protected software or core functionality without authorization. The flaw requires an admin account and physical/local network proximity, which constrains the attack surface but remains a concern in environments where multiple administrators manage network devices.
- CVE-2026-0417MEDIUM 4.5
NETGEAR has patched an input validation flaw affecting 21 router models. An authenticated administrator on the local network can send specially crafted requests to bypass validation checks and tamper with the router's core configuration or operation. The vulnerability requires administrator-level access and direct network connectivity, which limits the threat to insider risk or compromised admin accounts on the same network segment. The impact is integrity-focused—data confidentiality and system availability are not affected.
- CVE-2026-0418MEDIUM 4.5
CVE-2026-0418 is a configuration management weakness in Netgear networking devices that allows administrators already logged into the local network to make unauthorized changes to system settings. The vulnerability requires authentication and local network access, limiting its reach to internal threats or compromised admin accounts. Netgear has published this issue affecting routers, mesh systems, and cellular gateways across multiple product lines.
- CVE-2026-10814MEDIUM 4.5
Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.
- CVE-2026-11623MEDIUM 4.5
A use-after-free memory vulnerability exists in tmux versions up to 3.6a, specifically within the image handling code. An attacker with local system access could trigger this flaw through a complex exploitation chain to read, modify, or crash tmux processes. While a public exploit has been disclosed, the attack requires both local access and deliberate manipulation, making opportunistic exploitation unlikely. The issue is resolved by upgrading to version 3.7-rc or applying the specific patch commit fc6d94a9f8a593bd8b7031650802084385d4ee03.
- CVE-2026-44640MEDIUM 4.5
NanoMQ is an edge messaging platform that implements the MQTT protocol for lightweight IoT and edge device communication. A type confusion bug exists in versions before 0.24.14 in how the broker handles QUIC connection objects during the dialing and closing lifecycle. When the broker initiates a QUIC connection (dialing), it stores a pointer as one type (nni_quic_conn), but later during cleanup, the code misinterprets that same pointer as a different type (ex_quic_conn). This mismatch causes the broker to read and operate on invalid memory, resulting in hangs or crashes when closing connections. The issue requires local access and user interaction to trigger.
- CVE-2026-49382MEDIUM 4.5
A vulnerability in JetBrains IntelliJ IDEA's Copyright plugin allows an attacker to execute code on a developer's machine through template injection. The attack requires local access and user interaction—specifically, a developer must open a malicious project or file. While the severity is moderate, this poses a real risk in shared development environments or when developers download untrusted projects.
- CVE-2026-10100MEDIUM 4.4
The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.
- CVE-2026-11411MEDIUM 4.4
A path traversal vulnerability exists in the iAI Lab PDF AI App version 4.21.0 for Android. The flaw is located in the chatpdf.pro component's getExternalCacheDir function, where improper handling of the _display_name parameter allows an attacker with local device access to manipulate file paths. This could enable unauthorized file access or modification on the affected device. Public exploit code is available, increasing the practical risk of exploitation.
- CVE-2026-2500MEDIUM 4.4
The Quick Playground plugin for WordPress has a path traversal flaw that allows WordPress administrators to read sensitive files from the server. An authenticated admin could retrieve files like wp-config.php or /etc/passwd without proper authorization. The vulnerability only affects sites synchronized with WordPress Playground or running on playground.wordpress.net, which significantly constrains real-world exposure. All versions up to and including 1.3.4 are affected.
- CVE-2026-3620MEDIUM 4.4
The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.
- CVE-2026-41978MEDIUM 4.4
A permission control vulnerability exists in a clone module that could allow an unauthorized user to access sensitive information. The issue arises from improper permission checks when cloning resources, potentially exposing confidential data. While the vulnerability requires local access and user interaction to exploit, it carries a medium risk profile and warrants timely remediation to protect data confidentiality.
- CVE-2026-45279MEDIUM 4.4
Nextcloud Server contains a path traversal vulnerability that allows non-admin users to copy files into their own Nextcloud directories in certain scenarios. The vulnerability exists in specific versions and depends on underlying Unix file system permissions. An attacker would need already-elevated user privileges within Nextcloud to exploit this issue, limiting the practical threat surface.
- CVE-2026-45702MEDIUM 4.4
OP-TEE, a security-focused component running on Arm processors, contains a type confusion flaw when handling memory-sharing requests from the normal operating system. The vulnerability only affects specific OP-TEE configurations used to manage secure applications (when both SPMC mode and secure partition features are enabled). An attacker with high system privileges can trigger a denial of service, though the flaw does not expose sensitive data or allow code execution. Upgrading to OP-TEE version 4.11.0 or later resolves the issue.
- CVE-2026-7421MEDIUM 4.4
A WordPress plugin called Passeum Ticketing contains a vulnerability that allows site administrators to inadvertently (or maliciously in compromised accounts) inject malicious scripts into a website. The plugin fails to properly validate the shop name setting, allowing an attacker with admin access to point the site to a malicious domain. When this happens, the plugin loads JavaScript and CSS files from that attacker-controlled domain, which then executes on every page of the website for all visitors. This is a stored cross-site scripting (XSS) vulnerability specific to multisite WordPress installations.
- CVE-2026-7430MEDIUM 4.4
The Post Snippets plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to 4.0.19. An authenticated administrator can inject malicious code through the plugin's import feature. When that code is imported, it gets embedded unsafely into the post editor's JavaScript, allowing the attacker to execute arbitrary scripts that run whenever any administrator opens a post editor page. This is a privilege-escalation and persistence risk: an attacker with admin access can compromise the experience of other admins and potentially maintain control across sessions.
- CVE-2026-8991MEDIUM 4.4
A WordPress plugin called 'Drag and Drop Multiple File Upload for Contact Form 7' contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.3.9.7. An attacker with administrator access can inject malicious scripts into the plugin's settings, which will then execute in the browsers of any user who views the affected pages. This is a privilege-escalation risk that exploits insufficient input validation on two specific settings fields.
- CVE-2026-9594MEDIUM 4.4
The WP Maps plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.9.4. An attacker with administrator access or a custom role granted the wpgmp_manage_location capability can inject malicious scripts into location messages. These scripts execute whenever site visitors access pages containing the injected content, potentially compromising user sessions, stealing credentials, or redirecting visitors to malicious sites. The vulnerability requires authenticated access and administrative privileges, limiting its immediate risk but making it a concern for organizations with admin account security gaps or custom role configurations.
- CVE-2019-25717MEDIUM 4.3
Dräger's Infinity Delta, Delta XL, and Kappa patient monitors expose sensitive log files to unauthenticated attackers on the local network. An attacker with network access can retrieve device internals, location data, and network configuration without needing credentials. This is a network-adjacent threat that discloses operational details but does not enable direct device compromise or manipulation.
- CVE-2024-47273MEDIUM 4.3
Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.
- CVE-2025-52606MEDIUM 4.3
HCL iControl contains a weakness in how it validates user input during its security architecture implementation. The application fails to properly check that incoming data matches the expected type before processing it, allowing an authenticated attacker to submit malformed input that the system does not adequately verify. This can lead to unintended modifications of application state or data.
- CVE-2025-53346MEDIUM 4.3
CVE-2025-53346 is a missing authorization flaw in ThimPress Thim Core that allows authenticated users to modify data or settings they should not have access to. The vulnerability stems from inadequate access control checks, meaning the application fails to properly verify whether a logged-in user has permission to perform specific actions. While an attacker must already have valid login credentials, the weakness could allow them to escalate privileges or tamper with configuration or content outside their intended scope.
- CVE-2026-10028MEDIUM 4.3
CVE-2026-10028 is a denial-of-service vulnerability in glib-networking that can be triggered when an attacker presents a maliciously crafted certificate chain containing circular issuer relationships. When an application using glib-networking with GnuTLS backend processes such a chain, the certificate verification logic enters an infinite loop, consuming CPU resources until the process becomes unresponsive. The attack requires user interaction (such as visiting a malicious website or accepting a connection) and affects only the targeted process, not the wider system.
- CVE-2026-10038MEDIUM 4.3
The Charitable donation plugin for WordPress contains a flaw that allows authenticated users with basic subscriber permissions to delete any attachment from a site's Media Library. The vulnerability exploits a two-step process: attackers first poison the stored avatar metadata with a target attachment ID, then trigger normal avatar upload functionality to delete it. While this requires login access, the low privilege level needed and straightforward execution method make it a practical risk for any WordPress site running this plugin where subscriber-level registration is enabled.
- CVE-2026-10113MEDIUM 4.3
Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.
- CVE-2026-10114MEDIUM 4.3
Open5GS versions up to 2.7.7 contain a flaw in how they parse shared NF profile information. When processing certain malformed input, the application writes data beyond the intended memory boundary, potentially crashing the service. While an attacker must have valid network credentials to exploit this, the vulnerability has been publicly disclosed, increasing the likelihood it will be weaponized.
- CVE-2026-10115MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.
- CVE-2026-10116MEDIUM 4.3
A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.
- CVE-2026-10117MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.
- CVE-2026-10153MEDIUM 4.3
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
- CVE-2026-10154MEDIUM 4.3
Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.
- CVE-2026-10156MEDIUM 4.3
Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.
- CVE-2026-10173MEDIUM 4.3
Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.
- CVE-2026-10215MEDIUM 4.3
A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.
- CVE-2026-10282MEDIUM 4.3
Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.
- CVE-2026-10289MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in Hotel and Tourism Reservation System version 1.0. An attacker can inject malicious scripts by manipulating parameters in the reservation form—specifically the name, email, people count, or booking number fields in the /ht/tour.php file. When a victim visits a crafted link or page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or defacement. Public exploits are available, increasing active exploitation risk.
- CVE-2026-10291MEDIUM 4.3
Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.
- CVE-2026-10294MEDIUM 4.3
PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.
- CVE-2026-10301MEDIUM 4.3
A reflected cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0. An attacker can craft a malicious URL containing JavaScript code in the 'page' parameter of index.php. When a user visits this link, the script executes in their browser, potentially allowing theft of session cookies, credential capture, or malware redirection. The vulnerability requires user interaction (clicking a link) but poses a meaningful risk to organizations running this system, especially those handling sensitive fee or financial data.
- CVE-2026-10553MEDIUM 4.3
The jQuery Hover Footnotes plugin for WordPress contains a flaw that allows attackers to trick site administrators into unknowingly changing plugin settings. When an admin clicks a malicious link, the attacker can alter how the plugin displays content—including injecting malicious code that affects every visitor to the site. The vulnerability chains two separate weaknesses: the ability to forge requests without verification, followed by the ability to inject unescaped code into pages.
- CVE-2026-10616MEDIUM 4.3
GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.
- CVE-2026-10624MEDIUM 4.3
CVE-2026-10624 is a moderate-severity vulnerability in SourceCodester Human Resource Management version 1.0 that allows authenticated users to access employee information they should not be able to view. The flaw exists in the Employee View Page component and stems from improper handling of the 'employeeid' parameter, which an attacker can manipulate to bypass access controls. Because exploit code has been publicly disclosed, this vulnerability poses a realistic risk to organizations running affected systems.
- CVE-2026-10661MEDIUM 4.3
A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.
- CVE-2026-10691MEDIUM 4.3
A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.
- CVE-2026-10692MEDIUM 4.3
A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.
- CVE-2026-10702MEDIUM 4.3
A flaw in Firefox's JavaScript Just-In-Time (JIT) compiler can cause it to miscompile code in certain circumstances. When a user visits a malicious website, the affected browser may crash or become unstable due to incorrect code generation during compilation. This is not a memory corruption issue and does not allow attackers to steal data or take control of the system, but it does impact availability and user experience.
- CVE-2026-10787MEDIUM 4.3
Devolutions Server contains a flaw in its API for managing deleted user groups that fails to properly check permissions. An authenticated user with low-level access can craft specific API requests to view metadata about deleted user groups they should not be able to see. The vulnerability requires an attacker to already have valid credentials, limiting the attack surface, but it does represent a breach of data compartmentalization within the system.
- CVE-2026-10802MEDIUM 4.3
A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.
- CVE-2026-10810MEDIUM 4.3
A cross-site scripting (XSS) vulnerability exists in itsourcecode Fees Management System version 1.0 and earlier. The flaw is located in the /navbar.php file, where unsanitized input in the 'page' parameter allows an attacker to inject malicious scripts. An attacker can craft a malicious URL and trick a user into clicking it, causing the injected script to execute in the victim's browser. This could lead to session hijacking, credential theft, or malware distribution. Public exploit code is available, increasing the risk of opportunistic attacks.
- CVE-2026-10854MEDIUM 4.3
CVE-2026-10854 is a visibility control flaw in MISP's event template creation feature that allowed unauthorized users to see private galaxy data from other organizations. When creating an event template, the system listed all enabled galaxies without checking whether the user's organization owned them or whether they were marked private. This exposed sensitive metadata like galaxy type and description to users who shouldn't have access. The vulnerability requires authentication to exploit and affects only information disclosure—no data modification or denial of service is possible. MISP has patched the issue by filtering galaxy visibility based on organization ownership and distribution settings.
- CVE-2026-10855MEDIUM 4.3
MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.
- CVE-2026-10864MEDIUM 4.3
A flaw in MISP's dashboard widgets allows authenticated users with low-level access to bypass field restrictions and view sensitive information they shouldn't have access to. By manipulating which data fields the New Users and New Organisations widgets display, attackers can circumvent settings designed to hide user email addresses and other restricted organization metadata. The vulnerability stems from how the application processes field filtering—if redaction leaves the field list empty, it falls back to returning unfiltered data instead of enforcing safe defaults.
- CVE-2026-11031MEDIUM 4.3
Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.
- CVE-2026-11062MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a vulnerability in how it enforces policies on browser extensions. An attacker could create a malicious extension that, if installed by a user, would be able to inject malicious scripts or HTML code into sensitive browser pages. While the technical barrier is relatively low (it requires social engineering to trick a user into installing the extension), the impact is limited to tampering with page content rather than stealing data or causing system crashes.
- CVE-2026-11107MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles the Downloads feature that allows an attacker to trick users with a deceptive webpage. Specifically, an attacker could craft a malicious HTML page that, when viewed in an affected Chrome browser, would display fake or misleading interface elements to deceive users—a technique called UI spoofing. The vulnerability requires user interaction (visiting the malicious page) but does not compromise confidentiality or system availability; the primary risk is deception around the integrity of what the user sees on their screen.
- CVE-2026-11126MEDIUM 4.3
A flaw in Google Chrome's Developer Tools (DevTools) allows an attacker to access data from different websites if they can trick a user into installing a malicious browser extension. The vulnerability has a CVSS score of 4.3 (Medium severity) and requires user interaction—specifically, the user must be convinced to install the malicious extension. Once installed, the crafted extension can exploit improper input validation in DevTools to leak cross-origin data that should normally be protected by browser security policies.
- CVE-2026-11155MEDIUM 4.3
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how CSS is processed that could allow an attacker to trick a user into visiting a malicious website where sensitive data from other sites (cross-origin data) could be leaked. The attack requires user interaction—specifically clicking a link or visiting a crafted page—but does not require the attacker to have special permissions or bypass other security controls. The leaked information would be visible only to the attacker, not modified or destroyed.
- CVE-2026-11156MEDIUM 4.3
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how it handles CSS styling rules that can allow an attacker to extract data from other websites you have open in your browser. An attacker would need to trick you into visiting a malicious webpage, and if successful could read sensitive information from other tabs or windows—such as content from your email, banking site, or other services—that you're simultaneously visiting. This is a cross-origin data leak vulnerability affecting the browser's CSS implementation.
- CVE-2026-11159MEDIUM 4.3
A memory safety issue in Google Chrome's Skia graphics library allows attackers to steal data from websites you visit. By crafting a malicious HTML page, an attacker could trick your browser into exposing information that should remain private to other websites—a cross-origin data leak. The vulnerability requires user interaction (clicking or viewing the page) but doesn't require special browser settings or authentication. Google patched this in Chrome 149.0.7827.53 and later versions.
- CVE-2026-11161MEDIUM 4.3
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how it handles cross-origin data transfers. An attacker can craft a malicious HTML page that, when visited by a user, leaks sensitive information from websites the user is logged into or has visited. The vulnerability requires user interaction (clicking or visiting the page) but does not require special browser permissions or user sophistication to exploit.
- CVE-2026-11162MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a vulnerability in how the browser handles CSS that can allow attackers to steal data from other websites. An attacker would need to trick a user into visiting a malicious webpage, but once there, the flawed CSS implementation could expose sensitive information from pages the user has open in other tabs or windows. The risk is limited to information disclosure—the vulnerability does not allow attackers to modify data or crash the browser.
- CVE-2026-11178MEDIUM 4.3
A security gap in Chrome's WebView component on Android devices allows attackers to steal sensitive information from websites you visit. By tricking a user into opening a malicious webpage, an attacker can bypass Chrome's normal protections and read data that should be restricted to other websites. This affects Chrome versions before 149.0.7827.53. The vulnerability requires user interaction—someone must click a link or open a malicious page—but doesn't require special privileges or advanced technical setup.
- CVE-2026-11192MEDIUM 4.3
Google Chrome's password manager has a flaw that fails to properly check information coming from the network. An attacker can exploit this by sending crafted network traffic to trick the browser's UI into displaying fake or misleading content—for example, mimicking legitimate login prompts or security warnings. The attacker cannot steal data or crash the browser, but they can manipulate what users see, potentially leading to credential theft or social engineering attacks if the spoofed interface convinces users to enter sensitive information.
- CVE-2026-11212MEDIUM 4.3
A vulnerability in Google Chrome's developer tools (DevTools) fails to properly enforce security policies that should prevent extensions from accessing data across different websites. An attacker could trick a user into installing a malicious Chrome extension, which could then exploit this flaw to steal sensitive information from websites the user visits. The issue affects Chrome versions before 149.0.7827.53.
- CVE-2026-11216MEDIUM 4.3
Google Chrome contains a flaw in how it displays security warnings for file input operations. An attacker can craft a malicious webpage that tricks users into performing specific mouse or keyboard actions—such as clicking or dragging—that trigger the file picker dialog. By manipulating the visual presentation of this dialog, the attacker can deceive the user about what action they're performing, potentially leading them to upload sensitive files or authorize unintended operations. This is a user-interaction vulnerability: it requires the attacker to convince the user to engage in the specific gestures, but once they do, the spoofed UI can create false impression of legitimacy.
- CVE-2026-11219MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser implements navigation controls. An attacker can craft a malicious HTML page that, when visited, bypasses intended navigation restrictions—essentially allowing the page to navigate the browser or access certain destinations in ways it shouldn't be able to. The attack requires user interaction (clicking or visiting the page), but no special browser privileges. While Chromium rates this as Low severity internally, the CVSS scoring reflects Medium severity due to the potential for integrity compromise through navigation spoofing.
- CVE-2026-11221MEDIUM 4.3
A weakness in Google Chrome's PointerLock feature allows a threat actor who has already gained control of the browser's renderer process to deceive users through fake on-screen elements. The attacker would craft a malicious HTML page that tricks the browser into displaying misleading UI, potentially impersonating legitimate interface elements. This requires the renderer process to be compromised first, making it a secondary attack that typically follows another successful exploit.
- CVE-2026-11228MEDIUM 4.3
Google Chrome before version 149.0.7827.53 contains a flaw in how it handles file input operations that allows attackers to deceive users through visual manipulation. If an attacker can trick a user into performing specific clicks or interactions on a malicious webpage, they can spoof the browser interface—making fake buttons, dialogs, or other UI elements appear legitimate. This is a social engineering attack that relies on user interaction; the vulnerability itself is in Chrome's file input implementation.
- CVE-2026-11234MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a vulnerability in the FoldableAPIs feature that allows a remote attacker to bypass site isolation—Chrome's core security boundary that separates web pages from each other—if the attacker has already compromised the renderer process. Site isolation is one of Chrome's strongest defenses against malicious websites stealing data from other tabs or extensions. This vulnerability requires both a compromised renderer and user interaction, limiting the immediate threat but warranting timely patching.
- CVE-2026-11245MEDIUM 4.3
CVE-2026-11245 is a user interface spoofing vulnerability in Google Chrome's payment handling system. An attacker can craft a deceptive HTML page that tricks users into believing they are interacting with legitimate payment dialogs or security prompts, potentially leading to credential theft, social engineering, or other forms of user deception. The vulnerability requires user interaction (clicking or engaging with the malicious page) to be exploited, limiting its scope but not eliminating risk in realistic phishing or drive-by attack scenarios.
- CVE-2026-11252MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how it enforces content policies that could allow an attacker to bypass certain access controls through a specially crafted web page. The vulnerability requires user interaction—an attacker would need to trick someone into visiting a malicious page—but does not leak sensitive data or crash the browser. Instead, it could allow unauthorized modification of content or settings the user intended to protect.
- CVE-2026-11253MEDIUM 4.3
Google Chrome contained a flaw in how it handled permissions that could allow an attacker to trick users into visiting a specially crafted web page and leak data from other websites the user was visiting. The vulnerability requires user interaction (clicking or viewing a malicious page) and only affects data confidentiality, not system availability or integrity. Google has patched this in Chrome 149.0.7827.53 and later.
- CVE-2026-11254MEDIUM 4.3
Google Chrome versions prior to 149.0.7827.53 contain a UI spoofing vulnerability in its permissions implementation. An attacker can craft a malicious HTML page that, when visited by a user, displays fake permission prompts or other interface elements to deceive users into granting access or performing unintended actions. The attack requires user interaction—specifically, the victim must visit the attacker's page—but does not require any special browser configuration or privilege level.
- CVE-2026-11257MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser implements navigation controls. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's built-in restrictions on where a page can navigate. This allows the attacker to redirect the user to unintended destinations or perform unwanted navigation actions, potentially leading to phishing, credential harvesting, or distribution of malware. The vulnerability requires user interaction (clicking or visiting the page) and affects Chrome on Windows, macOS, and Linux.
- CVE-2026-11259MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how the Cast feature validates user-supplied input. This allows an attacker to craft a malicious webpage that, when visited, can bypass Chrome's same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites. The attack requires user interaction (visiting the page) but requires no special privileges. While Chromium rates the underlying severity as Low, the ability to circumvent same-origin policy elevates practical risk.
- CVE-2026-11260MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles permissions that allows attackers to bypass the browser's Content Security Policy (CSP) protections via a specially crafted webpage. While the underlying browser vulnerability severity is rated as low, the CVSS assessment elevates this to medium risk because it requires user interaction but could enable an attacker to execute unintended behavior or inject content that CSP should block. The issue affects Chrome on Windows, macOS, and Linux.
- CVE-2026-11261MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles PDF rendering that could allow an attacker to trick users into believing they're viewing legitimate content when they're not. If an attacker has already compromised Chrome's rendering engine (the component that displays web pages), they can craft a specially designed HTML page to perform UI spoofing—making fake buttons, warnings, or other interface elements appear authentic. This is a medium-severity issue because it requires both a prior compromise of the renderer process and user interaction to be exploited.
- CVE-2026-11264MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in how Content Security Policy (CSP) is enforced. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute content that the website owner intended to block, potentially leading to credential theft, session hijacking, or other attacks that degrade site security. The vulnerability requires user interaction—the victim must visit the malicious page—and does not directly compromise the browser itself or enable data exfiltration.
- CVE-2026-11266MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in the Safe Browsing feature that allows a remote attacker to bypass its protections by delivering a specially crafted file. An attacker would need to trick a user into opening or interacting with the malicious file, but if successful, the user's safety checks could be circumvented, potentially allowing access to sites or content that Safe Browsing would normally block.
- CVE-2026-11267MEDIUM 4.3
A vulnerability in Google Chrome's extension framework allows a malicious extension to bypass content security policy (CSP) protections if a user installs it. The issue stems from insufficient policy enforcement mechanisms that fail to properly validate extension behavior. While the underlying Chromium severity is rated as Low, the CVSS assessment elevates it to Medium due to the user interaction requirement combined with potential integrity impact. An attacker would need to socially engineer a user into installing a compromised extension—a realistic but not trivial attack vector.
- CVE-2026-11274MEDIUM 4.3
A flaw in Google Chrome's DOM Distiller component on iOS allows attackers to bypass navigation restrictions through a specially crafted web page. The vulnerability requires user interaction to trigger—specifically, the victim must visit or interact with a malicious page. The impact is limited to breaking navigation boundaries; no data theft or system crashes are involved. Chrome versions prior to 149.0.7827.53 on iOS are affected.
- CVE-2026-11277MEDIUM 4.3
A vulnerability in Chrome for iOS allows an attacker to bypass certain access controls through a specially crafted HTML page. The issue stems from insufficient enforcement of security policies in the iOS version of Chrome. An attacker would need to trick a user into visiting a malicious webpage, but no special user privileges are required and the attack is straightforward to execute. The primary risk is unauthorized modification of data or application behavior—not data theft or system crashes.
- CVE-2026-11280MEDIUM 4.3
A flaw in Google Chrome's sign-in interface on iOS allows an attacker to trick users with a fake login screen. By crafting a malicious web page, an attacker could make it appear that a legitimate Chrome sign-in prompt is appearing, potentially deceiving users into entering credentials or sensitive information. The vulnerability requires user interaction—visiting a crafted page—but does not require authentication or special privileges to attempt. While Google classifies this at low severity internally, the CVSS score reflects medium risk due to the integrity impact of potential credential theft or trust erosion.
- CVE-2026-11285MEDIUM 4.3
Google Chrome on iOS versions before 149.0.7827.53 contain a flaw that allows attackers to trick users with fake, spoofed user interface elements embedded in malicious web pages. An attacker would need to convince a user to visit a crafted HTML page, but no special privileges are required and the attack can be delivered over the network. The vulnerability does not compromise data confidentiality or availability, but could deceive users about what they are viewing or interacting with.
- CVE-2026-11286MEDIUM 4.3
A flaw in Google Chrome's Wallet component allows attackers who have already compromised a browser's renderer process to trick users with fake UI elements displayed on a web page. This requires the attacker to first gain control of the renderer—the part of the browser that displays web content—which is a significant prerequisite but not impossible in real-world scenarios where other vulnerabilities or social engineering may be chained together.
- CVE-2026-11291MEDIUM 4.3
A flaw in how Google Chrome handles autofill on Android devices allows an attacker to craft a malicious webpage that can bypass the browser's same-origin policy protections. By tricking a user into visiting their page, an attacker could potentially manipulate how Chrome autofills data in unexpected ways. Google rates this as low severity internally, though the CVSS score reflects it as medium risk due to the user interaction required and limited scope of potential impact.
- CVE-2026-11292MEDIUM 4.3
Google Chrome versions before 149.0.7827.53 contain a flaw in the Blink rendering engine that allows attackers to bypass Content Security Policy (CSP) protections through a specially crafted webpage. An attacker would need to trick a user into visiting a malicious site, where the weakness could enable injection of unintended content or scripts that CSP was supposed to prevent. While Chromium rates this as low severity, the CVSS score reflects moderate impact potential because CSP bypass can lead to unauthorized modifications of page behavior.
- CVE-2026-11294MEDIUM 4.3
Google Chrome versions prior to 149.0.7827.53 contain a flaw in password handling that allows attackers to create fake or misleading login screens through specially crafted web pages. An attacker would need to trick a user into visiting a malicious website, but once there, the browser's UI protections don't adequately prevent visual deception. This is not an authentication bypass—it's a user interface trick that could mislead people about whether they're interacting with legitimate Chrome UI or attacker-controlled content.
- CVE-2026-11298MEDIUM 4.3
A vulnerability in Google Chrome for iOS allows attackers to bypass the same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites—by tricking users into visiting a specially crafted webpage. The flaw affects Chrome versions before 149.0.7827.53 on iPhones and iPads. While the Chromium project rated this as low severity, the CVSS score reflects a medium severity due to the potential for information disclosure or unauthorized content modification in cross-origin contexts.