By year

Vulnerabilities disclosed in 2026

CVEs published in 2026 with SEC.co analysis.

1014 published vulnerabilities · page 6 of 11

  • CVE-2026-10843HIGH 7.2

    OpenShift's Cloud Credential Operator, when running in Mint mode, assigns AWS credentials with excessive permissions. Instead of limiting destructive actions to resources owned by the cluster, the operator grants account-wide scope. If an attacker compromises these credentials, they can perform destructive actions across the entire AWS account, not just the cluster—making lateral movement and account-wide damage possible.

  • CVE-2026-10870HIGH 7.2

    Shibby Tomato version 1.28.0000 contains a command injection vulnerability in its web-based configuration interface that allows authenticated administrators to execute arbitrary operating system commands on the router. An attacker with administrative access can manipulate the DHCP client startup function to inject malicious commands, potentially compromising the entire device and any network it serves. Exploit code has been published publicly, increasing the risk of opportunistic attacks.

  • CVE-2026-10871HIGH 7.2

    Shibby Tomato 1.28.0000 contains a remote command injection vulnerability in its Web UI. An authenticated administrator can craft a malicious request targeting the IPv6 6rd tunnel configuration function, injecting arbitrary operating system commands that execute with the privileges of the affected service. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.

  • CVE-2026-10872HIGH 7.2

    Shibby Tomato 1.28.0000 contains a vulnerability in the Web UI component that allows authenticated users with high-level privileges to inject operating system commands through the VPN server startup function. An attacker with administrative access could manipulate input parameters to execute arbitrary commands on the device, potentially compromising the entire router system. Public exploit information exists for this vulnerability.

  • CVE-2026-10873HIGH 7.2

    Shibby Tomato 1.28.0000 contains a command injection vulnerability in its web interface that allows authenticated administrators to execute arbitrary operating system commands. The vulnerability exists in the rstats_path function within the /bin/rstats component. Because exploit code has been publicly disclosed, the risk of active exploitation is elevated. Note that this project has been superseded by FreshTomato, and users should verify their upgrade path accordingly.

  • CVE-2026-2374HIGH 7.2

    The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.

  • CVE-2026-24085HIGH 7.2

    A memory corruption vulnerability exists in multiple Qualcomm wireless chipsets and their firmware when processing display command line information. The flaw stems from improper initialization of a variable during command parsing, which could allow a high-privilege attacker with physical access to trigger memory corruption and potentially execute arbitrary code or crash the device. The vulnerability affects a broad range of Qualcomm wireless components used in enterprise and consumer devices.

  • CVE-2026-3820HIGH 7.2

    Supermicro's BMC (Baseboard Management Controller) SMTP service in the AS-2115HS-TNR contains a vulnerability that allows attackers with administrator-level access to inject malicious characters into SMTP configuration fields. This injection can lead the system to execute unintended commands, potentially resulting in loss of service, unauthorized code execution, or complete compromise of the BMC itself. While the attack requires existing high-level privileges, the consequences—especially arbitrary code execution on out-of-band management hardware—are severe.

  • CVE-2026-39276HIGH 7.2

    Emlog Pro v2.6.9 contains a path traversal flaw in its template upload feature that allows authenticated administrators to upload malicious files and execute arbitrary PHP code on the server. An attacker with admin credentials can craft a specially crafted ZIP archive with directory traversal sequences (such as '../') in filenames to escape the intended upload directory, overwrite legitimate template files, or inject malicious code that gets executed by the web server. This is a post-authentication vulnerability, meaning the attacker must already have admin access to the Emlog installation.

  • CVE-2026-40961HIGH 7.2

    Apache Airflow contains a flaw in its login redirect mechanism that allows authenticated users to redirect people to malicious websites. The vulnerability exists because the URL safety check (`is_safe_url`) can be circumvented through crafted URLs, enabling attackers to potentially harvest credentials or distribute malware by making the redirect appear to come from a trusted Airflow instance. Any organization running Airflow and allowing authentication should treat this as a priority.

  • CVE-2018-25392HIGH 7.1

    MaxOn ERP Software versions 8.x through 9.x contain a SQL injection flaw that lets authenticated users inject malicious SQL commands through specific parameters in the activity logging function. An attacker with valid credentials can craft POST requests to extract sensitive database information such as version numbers and database names. While exploitation requires authentication, the impact—unauthorized access to database structure and sensitive data—represents a meaningful security risk for organizations running these versions.

  • CVE-2018-25410HIGH 7.1

    SIM-PKH version 2.4.1 contains a SQL injection flaw in its admin media management interface. An authenticated attacker can craft malicious requests to the /admin/media.php endpoint that inject SQL code, allowing them to extract sensitive database information such as usernames, database names, and version details. The vulnerability requires valid login credentials but poses a meaningful risk to data confidentiality within affected deployments.

  • CVE-2018-25429HIGH 7.1

    Paroiciel version 11.20 contains an SQL injection vulnerability in the zpro.php endpoint that allows authenticated users to execute arbitrary database queries by manipulating the zProIdPro parameter. An attacker with valid credentials can craft malicious SQL statements to extract sensitive information from the database, including usernames, database names, and version details. This is a post-authentication attack that does not require user interaction.

  • CVE-2018-25430HIGH 7.1

    Paroiciel version 11.20 contains a SQL injection flaw in its egeq.php endpoint. Authenticated users can craft malicious requests that embed SQL commands into the eGeqIdEquipe parameter, allowing them to query the underlying database directly. This bypasses normal access controls and could expose sensitive information such as database version details and other stored data. The vulnerability requires valid login credentials, so it represents an insider threat or compromised-account scenario.

  • CVE-2018-25431HIGH 7.1

    No-Cms 1.0 contains a SQL injection flaw in its privilege management export feature. An authenticated user can craft a specially formatted request to extract sensitive data from the application's database by injecting malicious SQL commands into the order_by parameter. The vulnerability requires valid credentials but poses significant risk to data confidentiality.

  • CVE-2025-15654HIGH 7.1

    CVE-2025-15654 is a reflected cross-site scripting (XSS) vulnerability in Fox-themes Prague versions 2.2.8 and earlier. An attacker can craft a malicious URL containing unsanitized input that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the vulnerable application. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or redirect them to phishing sites—all without modifying the application itself.

  • CVE-2025-52612HIGH 7.1

    HCL iControl contains a vulnerability that combines CSV injection with reflected cross-site scripting (XSS) in its export function. An authenticated attacker can craft malicious input that, when a user interacts with exported CSV content or follows a specially crafted link, executes arbitrary JavaScript in the victim's browser session. The vulnerability stems from inadequate input validation and sanitization, allowing attackers to inject both CSV formulas and script payloads.

  • CVE-2025-52759HIGH 7.1

    A reflected cross-site scripting (XSS) vulnerability exists in the UnboundStudio Accordion FAQ plugin affecting versions up to 2.2.1. An attacker can craft a malicious link that, when clicked by a user, executes arbitrary JavaScript in the victim's browser within the context of the affected site. This allows theft of session cookies, credential harvesting, malware injection, or other client-side attacks. The vulnerability requires user interaction—specifically clicking a malicious link—but has no authentication barrier, making it a straightforward social engineering vector.

  • CVE-2025-67448HIGH 7.1

    A stored cross-site scripting (XSS) vulnerability exists in the SMS module of Neterbit NW-431F routers running firmware version 20241014-IR03 and earlier. An attacker can craft a malicious SMS message and send it to a router user; when that user views the message, the embedded script executes in their browser. This allows attackers to steal session tokens, redirect users, inject fake content, or perform actions on behalf of the victim—all without the victim realizing they've been compromised through what appears to be a routine SMS.

  • CVE-2026-10840HIGH 7.1

    A misconfiguration in the OpenShift Pipelines operator allows any authenticated user on a cluster to gain unauthorized control over workload scheduling and certificate management. The tekton-scheduler-rolebinding grants excessive permissions to all authenticated users, enabling them to disrupt job scheduling, alter priorities, delete other users' workloads, or manipulate TLS certificates—including those protecting ingress controllers. This is a privilege escalation issue that turns cluster authentication into a foothold for operational sabotage.

  • CVE-2026-24090HIGH 7.1

    A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.

  • CVE-2026-31942HIGH 7.1

    LibreChat versions up to 0.7.6 contain a critical flaw in how API keys are managed. Any authenticated user can manipulate API key settings for other users by injecting parameters into requests, allowing them to replace legitimate API keys (from providers like OpenAI, Anthropic, or Azure) with their own or invalid ones. This means an attacker could intercept conversations through attacker-controlled API endpoints or disable a victim's service entirely.

  • CVE-2026-36176HIGH 7.1

    GNCC GP5 version 7.1.76 leaks Backblaze B2 cloud storage upload credentials to the device's serial console in plaintext. An attacker with physical access to the hardware can monitor the UART interface and capture active, pre-signed upload URLs intended for file transfers. Once captured, these URLs can be used to upload or manipulate files in the connected B2 storage bucket without authorization. The vulnerability requires proximity to the device but poses significant risk to organizations using this gateway in sensitive environments.

  • CVE-2026-36606HIGH 7.1

    Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 store backup files that are encrypted with a hardcoded, publicly discoverable key using weak encryption. Anyone who obtains a backup file—whether through direct device access, cloud storage misconfiguration, or phishing—can decrypt it and extract sensitive credentials including the admin password, WiFi pre-shared key, and DDNS login information. This is a local attack that depends on an attacker first gaining access to the backup file itself.

  • CVE-2026-42654HIGH 7.1

    WP Swings Wallet System for WooCommerce contains a flaw that allows attackers with an existing user account to bypass normal authentication safeguards and exploit the password recovery mechanism. An authenticated attacker could use this vulnerability to take over other user accounts, including administrative ones, without knowing their passwords. The vulnerability affects all versions up to and including 2.7.5.

  • CVE-2026-42678HIGH 7.1

    GiveWP, a popular WordPress donation and fundraising plugin maintained by Liquid Web/StellarWP, contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. Unlike traditional XSS flaws, this vulnerability operates at the DOM (Document Object Model) level in the browser, meaning the attack payload is crafted and executed client-side rather than originating from the server. An attacker can trick a user into clicking a malicious link or visiting a compromised page, leading to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim within the vulnerable GiveWP installation.

  • CVE-2026-42681HIGH 7.1

    E2Pdf.Com's e2pdf plugin contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When a user visits a crafted link, the injected code executes in their browser within the context of the affected site, potentially allowing theft of session data, credentials, or sensitive information. The vulnerability affects e2pdf versions up to and including 1.32.14.

  • CVE-2026-42683HIGH 7.1

    VikBooking Hotel Booking Engine & PMS contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious link or embed JavaScript in user-controllable input fields; when a victim visits the page or interacts with the compromised element, the script executes in their browser with access to session data and sensitive information. This is a client-side vulnerability requiring user interaction but affecting multiple users through a single compromised page.

  • CVE-2026-42685HIGH 7.1

    Ahmad WP Job Portal versions up to 2.5.1 contain a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a specially designed link and trick a user into clicking it, causing the injected code to execute in that user's browser with their privileges. This vulnerability requires user interaction—the victim must click a malicious link—but once triggered, it can be used to steal session tokens, deface content, redirect users to phishing sites, or perform actions on behalf of the victim.

  • CVE-2026-46130HIGH 7.1

    A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.

  • CVE-2026-46140HIGH 7.1

    A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.

  • CVE-2026-46149HIGH 7.1

    A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.

  • CVE-2026-46150HIGH 7.1

    A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.

  • CVE-2026-44604HIGH 7.0

    A flaw in RPM's archive extraction tool allows an attacker to run arbitrary commands on a system by crafting a malicious archive with shell metacharacters embedded in its folder name. When a user extracts such an archive using the rpmuncompress utility, the unsanitized folder name is passed directly into a shell command, enabling code execution with the privileges of the extracting user. The vulnerability affects ZIP, 7z, and GEM archive formats.

  • CVE-2026-46154HIGH 7.0

    A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.

  • CVE-2026-46164HIGH 7.0

    A memory management bug in the Linux kernel's Btrfs filesystem can cause the same memory region to be freed twice when a sysfs initialization step fails. This double-free condition can lead to memory corruption and potentially allow an attacker with local access to crash the system or execute code with elevated privileges. The issue occurs in error handling code that wasn't properly coordinated between two layers of the filesystem's initialization logic.

  • CVE-2025-15653MEDIUM 6.8

    Dräger's Zeus Infinity Empowered and Zeus RS C500 anesthesia workstations have a security flaw that allows someone with physical access to a device to compromise its software through USB ports. An attacker could interfere with anesthesia delivery, alter medical data, or use the device as a stepping stone to attack a hospital network if the workstation is networked or connected to Dräger's service platform.

  • CVE-2026-0048MEDIUM 6.8

    A vulnerability exists in Android's WindowState component that allows an attacker to overlay malicious UI on top of legitimate system dialogs, tricking users into granting permissions they did not intend to approve. The attack exploits a tapjacking technique where touch inputs are intercepted and misdirected. No special privileges or user awareness is required for the attack to succeed, making it a local but potentially high-impact privilege escalation vector.

  • CVE-2026-0086MEDIUM 6.8

    A vulnerability in Android's DisableSupervisionActivity allows an attacker to delete supervision data on a device by exploiting a missing null check in the onCreate method. This flaw enables local privilege escalation without requiring any special permissions or user interaction, meaning the exploit could trigger automatically during normal device operation. The vulnerability affects multiple Android versions and has a medium severity rating.

  • CVE-2026-36175MEDIUM 6.8

    CVE-2026-36175 is a physical authentication bypass vulnerability affecting GNCC GP5 v7.1.76. An attacker with direct physical access to a device can interrupt the boot process and inject malicious kernel boot arguments, circumventing security controls to obtain root-level access. The vulnerability requires the attacker to be present at the device during startup, making it a targeted risk rather than a remote threat.

  • CVE-2025-59613MEDIUM 6.7

    CVE-2025-59613 is a memory corruption vulnerability affecting Qualcomm wireless, compute, and AR/XR platforms. The flaw occurs when the system attempts to copy data into a buffer that is smaller than the source data being transferred, causing memory to be overwritten beyond the intended boundaries. An attacker with elevated privileges on the device could exploit this to corrupt memory and potentially compromise system integrity, confidentiality, or availability. The vulnerability requires local access and administrative-level permissions to trigger.

  • CVE-2025-59614MEDIUM 6.7

    A memory corruption flaw exists in multiple Qualcomm components when processing random number generator commands with an undersized output buffer. An attacker with high-level privileges on the local system can trigger this condition to corrupt memory, potentially achieving confidentiality, integrity, and availability compromise. The vulnerability requires administrator or equivalent access and cannot be exploited remotely.

  • CVE-2026-10805MEDIUM 6.7

    NetworkManager, a widely used Linux network configuration utility, contains a local privilege escalation vulnerability in its dhclient backend. When processing specially crafted Manufacturer Usage Description (MUD) URLs, an authenticated local user can trigger malicious script execution to gain elevated system privileges. The vulnerability requires specific administrative configuration (non-default use of dhclient backend) and user interaction, limiting its scope but making it a meaningful risk for organizations using that backend.

  • CVE-2026-20453MEDIUM 6.7

    CVE-2026-20453 is a local privilege escalation vulnerability in MediaTek's geniezone component affecting multiple SoC (System-on-Chip) firmware and chipsets. The flaw stems from missing bounds validation during a write operation, allowing an attacker who already has system-level privileges to escalate further or corrupt memory. Because the attack requires prior system access and involves no user interaction, this is a post-compromise risk rather than an initial attack vector. The vulnerability carries a CVSS 3.1 score of 6.7 (Medium severity).

  • CVE-2018-25393MEDIUM 6.5

    Navigate CMS version 2.8.5 contains a flaw that allows authenticated users to download files they shouldn't have access to by manipulating the download request. An attacker with valid login credentials can craft specially-formed requests to the navigate_download.php component using directory traversal patterns (such as ../../../) to sidestep folder boundaries and retrieve sensitive system files like configuration files outside the application's normal download directory.

  • CVE-2018-25421MEDIUM 6.5

    Open STA Manager version 2.3 has a security flaw that allows authenticated users to download files they shouldn't have access to. An attacker with valid login credentials can manipulate web requests to trick the application into retrieving sensitive system files, such as configuration files or data stored outside the intended application directory. The vulnerability exists in the backup module and exploits how the application handles file path requests.

  • CVE-2019-25716MEDIUM 6.5

    Dräger's Infinity Delta, Delta XL, and Kappa patient monitors are vulnerable to a denial-of-service attack triggered by malformed network packets. An attacker on the same network segment can send specially crafted packets that force the monitor to reboot repeatedly, disrupting patient monitoring and causing the device to lose network connectivity and revert to default settings. This is a network-adjacent threat that degrades clinical visibility rather than exposing patient data directly.

  • CVE-2019-25720MEDIUM 6.5

    Dräger patient monitoring systems (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) are vulnerable to denial-of-service attacks from attackers on the same network segment. An unauthenticated attacker can send specially crafted network packets to force the monitor to reboot repeatedly, disrupting continuous patient monitoring. The device may then revert to default settings and lose network connectivity, compounding the disruption to clinical workflows.

  • CVE-2019-25721MEDIUM 6.5

    Dräger Infinity M300 wearable patient monitors running software version VG2.3.1 or earlier are vulnerable to network-based denial-of-service attacks. An attacker positioned on the same network can send specially crafted requests that force the device to reboot repeatedly, effectively taking the monitor offline and disrupting patient monitoring. This is a network-adjacent threat that requires no authentication or user interaction to trigger.

  • CVE-2019-25724MEDIUM 6.5

    Dräger Infinity M300 wearable patient monitors running software version VG2.x and earlier are vulnerable to a network-based denial-of-service attack that forces repeated device reboots. An attacker positioned on the hospital network or Infinity Network can trigger these reboots until the monitor enters a failed state, requiring manual intervention to restore function. During this attack window, wireless connectivity drops, patient monitoring capability is interrupted, and alarm functions become unavailable—creating a gap in real-time clinical visibility that could delay detection of patient deterioration.

  • CVE-2019-25740MEDIUM 6.5

    A vulnerability in Joomla's com_jsjobs extension version 1.2.6 allows authenticated users to delete files from the web server. An attacker who has valid login credentials can craft a malicious request that exploits how the extension handles file path parameters, bypassing intended restrictions and removing files the web server can access. This is a path traversal flaw that turns file upload/management functionality into an unauthorized deletion mechanism.

  • CVE-2024-6858MEDIUM 6.5

    Arista EOS switches running in 802.1X authentication mode contain a logic flaw that can allow unauthorized devices to bypass port access controls. If an unauthenticated device is present on a port configured for multi-auth, and there is an EAPOL-capable (Extensible Authentication Protocol over LAN) device in the fallback VLAN, the unauthenticated device may be granted network access when it should remain blocked. This creates an authentication bypass condition specific to the multi-auth scenario and fallback VLAN configuration.

  • CVE-2025-48977MEDIUM 6.5

    Apache Ignite REST API contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server by manipulating the log path parameter in API commands. An attacker with valid REST API credentials can escape the intended log directory and access sensitive files anywhere on the system. This affects Ignite versions 2.0.0 through 2.17.0, and the vendor has released version 2.18.0 to address it.

  • CVE-2025-52766MEDIUM 6.5

    CVE-2025-52766 is a missing authorization flaw in Printeers Print & Ship that allows authenticated users to perform actions they shouldn't have permission to do. An attacker with valid login credentials can exploit improperly configured access controls to modify data or settings—for instance, altering print job configurations, shipping labels, or account information belonging to other users or tenants. The vulnerability requires an authenticated user; it cannot be exploited by unauthenticated attackers. The impact is elevation of privilege within the application, not confidentiality compromise or service disruption.

  • CVE-2025-59601MEDIUM 6.5

    CVE-2025-59601 describes an information disclosure vulnerability in multiple Qualcomm wireless and audio components. When a device is factory reset through its powerline interface, sensitive configuration data may be exposed to an attacker with adjacent network access. This allows unauthorized parties to read device settings that should have been wiped during the reset process. The vulnerability does not allow modification of settings or denial of service, but the exposure of configuration details could enable further attacks or reveal sensitive operational parameters.

  • CVE-2025-70101MEDIUM 6.5

    CVE-2025-70101 is a memory safety flaw in the lwext4 library, a lightweight ext4 filesystem implementation. When processing a specially crafted ext4 disk image, the library can read past the end of allocated memory due to missing validation checks. An attacker who tricks a user into opening a malicious filesystem image can trigger this out-of-bounds read, causing the application to crash. This is primarily a denial-of-service risk rather than a gateway to data theft or system compromise.

  • CVE-2026-0039MEDIUM 6.5

    CVE-2026-0039 is an integer overflow vulnerability in Android's ubsan_throwing_runtime.cpp that allows an authenticated attacker to remotely crash or disable affected devices. The flaw resides in multiple functions and can be exploited without user interaction, making it a straightforward denial-of-service vector for anyone with network access to a vulnerable Android system.

  • CVE-2026-0040MEDIUM 6.5

    CVE-2026-0040 is an integer overflow vulnerability in Google Android's ubsan_throwing_runtime.cpp file that allows an authenticated attacker to remotely crash the system. No special privileges or user interaction are required for exploitation, making this a straightforward denial-of-service attack vector. The flaw resides in multiple functions within a core runtime component, meaning the exposure is likely widespread across affected Android versions.

  • CVE-2026-0041MEDIUM 6.5

    An integer overflow vulnerability exists in Google Android's UBSan (Undefined Behavior Sanitizer) runtime code. When triggered, the overflow causes the sanitizer itself to fail rather than safely handling undefined behavior, resulting in application crashes or service disruption. An authenticated attacker can remotely exploit this without user interaction, making it a network-reachable denial-of-service vector.

  • CVE-2026-0044MEDIUM 6.5

    CVE-2026-0044 is an integer overflow vulnerability in Android's ubsan_throwing_runtime.cpp that allows an authenticated attacker to crash the system remotely. The flaw requires valid credentials to exploit but no user interaction, making it a straightforward denial-of-service vector that can disrupt device availability without requiring the attacker to execute code or escalate privileges.

  • CVE-2026-0051MEDIUM 6.5

    A vulnerability in Google Android's UBSan (Undefined Behavior Sanitizer) runtime component allows an authenticated attacker to crash the system by sending malformed input to multiple functions in ubsan_throwing_runtime.cpp. The vulnerability requires valid credentials to exploit but no special privileges, and the attacker doesn't need to interact with the device user. The impact is denial of service—the system becomes unavailable—but data confidentiality and integrity are not compromised.

  • CVE-2026-0052MEDIUM 6.5

    CVE-2026-0052 is an integer overflow vulnerability in Android's UBSan runtime that can be triggered remotely by an authenticated attacker to crash the affected system. The flaw exists in multiple functions within ubsan_throwing_runtime.cpp and requires only network access and valid credentials—no special privileges or user interaction needed. Successful exploitation results in denial of service, making the device temporarily unavailable.

  • CVE-2026-0080MEDIUM 6.5

    CVE-2026-0080 is an integer overflow vulnerability in Google Android's ubsan_throwing_runtime.cpp that allows authenticated attackers to crash affected devices remotely. The flaw requires a valid login but no special permissions, and can be triggered without user interaction—making it a practical denial-of-service vector for an attacker with baseline Android system access.

  • CVE-2026-10004MEDIUM 6.5

    Google Chrome versions before 148.0.7778.216 contain a flaw in how they validate user input within the password-handling component. An attacker can craft a malicious HTML page that, when visited by a user, tricks the browser into displaying fake password prompts or other UI elements that appear legitimate. This is a spoofing attack—the attacker doesn't steal data directly, but deceives users into believing they're interacting with genuine Chrome interface elements, potentially leading them to enter credentials or take other unintended actions.

  • CVE-2026-10008MEDIUM 6.5

    Google Chrome on Android contains an uninitialized memory flaw in the GPU rendering pipeline that could allow an attacker to extract sensitive data from the browser process. An attacker would craft a malicious HTML page that, when loaded by a user, exploits how the GPU handles uninitialized memory regions—leaking fragments of previously-used data that may contain sensitive information. This is a memory disclosure vulnerability, not a code execution flaw, but information leaks can enable follow-on attacks or expose credentials, tokens, and personal data.

  • CVE-2026-10018MEDIUM 6.5

    CVE-2026-10018 is a medium-severity integer overflow vulnerability in ANGLE (Almost Native Graphics Layer Engine), Google's graphics abstraction layer used in Chrome. An attacker can craft a malicious webpage that, when visited, causes Chrome to mishandle memory calculations in its graphics pipeline. This flaw allows the attacker to read sensitive data from the browser's process memory—potentially including cached credentials, session tokens, or other confidential information—without modifying or crashing the system. The vulnerability requires user interaction (visiting the malicious page) but does not require special privileges to exploit.

  • CVE-2026-10190MEDIUM 6.5

    A remotely exploitable vulnerability exists in Tenda W12 version 3.0.0.7(4763) that allows authenticated users to crash the device's web management interface. By sending a specially crafted request to the web timeout configuration function, an attacker with valid credentials can trigger a denial-of-service condition, rendering the device's management portal unavailable until it is restarted. Public exploit code is available, increasing the practical risk.

  • CVE-2026-10272MEDIUM 6.5

    A4M4's Student-Management-System contains an authorization flaw in its admin panel that allows unauthenticated attackers to manipulate a parameter called 'sid' in the deleteform.php file, potentially leading to unauthorized data modification or deletion. The vulnerability is network-accessible and does not require user interaction or special privileges to exploit. While the issue has been publicly disclosed and exploit code is available, the development team has not yet issued a patch or formal response.

  • CVE-2026-10860MEDIUM 6.5

    CVE-2026-10860 is a logic error in MISP's delete handler that allows authenticated users to bypass validation checks and delete records they shouldn't be able to. The flaw stems from a missing parenthesis in the conditional logic that evaluates HTTP DELETE requests, causing the validator to be skipped when a DELETE method is used. While an attacker must already be authenticated, they can exploit this to circumvent application-level protections and remove protected data.

  • CVE-2026-10912MEDIUM 6.5

    A flaw in Google Chrome's extension handling allows an attacker who has already compromised the renderer process to bypass the browser's same-origin policy—a core security boundary that prevents JavaScript from one website accessing data from another. An attacker would need to trick a user into visiting a specially crafted webpage to exploit this. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux.

  • CVE-2026-10937MEDIUM 6.5

    CVE-2026-10937 is a same-origin policy bypass vulnerability in Google Chrome's password handling logic. An attacker can craft a malicious HTML page that, when visited by a user, exploits an implementation flaw to circumvent Chrome's same-origin policy protections. This could allow unauthorized script execution or data access across domain boundaries, though the actual impact depends on how the flaw is chained with other browser capabilities. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction to trigger.

  • CVE-2026-10938MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles certain HTML input that could allow an attacker to circumvent site isolation protections, but only if they have already compromised the renderer process. Site isolation is Chrome's core defense that prevents a compromised website from accessing data from other open websites. This vulnerability narrows that protection in specific scenarios.

  • CVE-2026-10944MEDIUM 6.5

    A flaw in Google Chrome's autofill feature on iOS could allow an attacker to trick a user into visiting a malicious webpage that extracts sensitive information you've saved in your browser—such as payment details, addresses, or credentials—from other websites you use. The vulnerability requires user interaction (visiting the malicious page) but does not require special system permissions or unusual browser configurations to exploit.

  • CVE-2026-10950MEDIUM 6.5

    Google Chrome on iOS has a flaw in how it enforces security policies for the autofill feature. An attacker can trick a user into visiting a specially crafted webpage that leaks sensitive data from other websites the user has visited or logged into. The vulnerability requires user interaction (clicking or visiting a malicious link) but doesn't require any special browser configuration or authentication bypass. It affects Chrome versions before 149.0.7827.53 on iOS devices.

  • CVE-2026-10977MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in Skia (Chrome's graphics rendering engine) that could allow an attacker who has already compromised your browser's renderer process to steal data from websites you visit. The attacker would need to trick you into viewing a specially crafted webpage. This is a real but narrowly scoped risk—it requires the renderer to already be under attacker control, limiting the immediate threat from casual browsing.

  • CVE-2026-10979MEDIUM 6.5

    A flaw in the ANGLE graphics library used by Google Chrome before version 149.0.7827.53 allows attackers to read memory outside intended bounds. An attacker can craft a malicious HTML page that, when visited by a user, extracts sensitive data from Chrome's process memory—such as authentication tokens, encryption keys, or other confidential information. Exploitation requires user interaction (clicking a link or visiting a site) but no special privileges.

  • CVE-2026-10980MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in DevTools that allows an attacker who has already compromised the browser's rendering engine to bypass the same-origin policy—a core security boundary that prevents websites from accessing each other's data. An attacker could craft a malicious HTML page to exploit this, potentially gaining unauthorized access to sensitive information from other websites.

  • CVE-2026-10981MEDIUM 6.5

    CVE-2026-10981 is a cross-origin data leak vulnerability in Google Chrome's video codec handling. An attacker who has already compromised Chrome's renderer process can craft a malicious video file to exfiltrate sensitive data from other websites the user is visiting. The vulnerability requires user interaction (opening or playing a video file) and relies on prior compromise of the rendering engine, limiting the attack surface but creating risk for users who already have malware or who visit compromised sites.

  • CVE-2026-10985MEDIUM 6.5

    A flaw in Skia, the graphics rendering engine used by Google Chrome, allows attackers to read data they shouldn't have access to by crafting a malicious web page. When a user visits such a page, the browser's memory can leak information from other websites or origins, potentially exposing sensitive data. The attack requires user interaction—clicking a link or visiting a hostile site—but doesn't require any special browser permissions or configuration.

  • CVE-2026-10992MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the Animation feature validates user-supplied data. An attacker can craft a malicious HTML page that, when opened in a vulnerable Chrome browser, leaks sensitive information stored in the browser's process memory. The attack requires user interaction (opening the page) but no authentication or special browser configuration.

  • CVE-2026-10993MEDIUM 6.5

    A heap buffer overflow vulnerability exists in Skia, the graphics rendering engine used by Google Chrome. By visiting a specially crafted webpage, an attacker can read sensitive data from Chrome's memory without requiring any special user permissions beyond clicking the link. The vulnerability affects Chrome versions before 149.0.7827.53 and has a CVSS severity rating of Medium.

  • CVE-2026-10994MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the ANGLE graphics library that can leak sensitive data from your browser's memory. An attacker can craft a malicious webpage that, when you visit it, reads uninitialized memory and potentially extracts information like passwords, tokens, or other private data. The vulnerability requires user interaction (clicking or viewing the page) but does not require special browser permissions.

  • CVE-2026-10996MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a vulnerability in how Web Workers are implemented that could allow an attacker to bypass the same-origin policy—a fundamental browser security boundary. An attacker could craft a malicious HTML page that, when visited by a user, potentially accesses or modifies content from other websites in the victim's browser session. This requires user interaction (visiting the crafted page) but does not require any special browser features to be enabled.

  • CVE-2026-10997MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it enforces policies on extensions. An attacker could craft a malicious extension that, if installed by a user, would be able to bypass access controls that should normally restrict what the extension can do. This is a user-assisted attack—the victim must actively install the extension—but once installed, the extension gains unintended capabilities.

  • CVE-2026-10999MEDIUM 6.5

    An integer overflow vulnerability exists in ANGLE (a graphics abstraction layer) within Google Chrome on Windows. Before version 149.0.7827.53, this flaw could allow an attacker who already controls the Chrome renderer process to read sensitive data from memory by tricking a user into viewing a specially crafted webpage. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but does not allow the attacker to modify data or crash the browser.

  • CVE-2026-11001MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the Payments feature that allows attackers to create a fake user interface through a specially crafted webpage. To exploit this, an attacker would need to trick a user into performing specific interactions—such as clicks or gestures—on the malicious page. The attack does not steal data or crash the browser, but instead deceives the user by making the browser display content that appears to come from a trusted source, when it actually originates from the attacker. This is a medium-severity issue that depends on user interaction to succeed.

  • CVE-2026-11006MEDIUM 6.5

    A memory safety flaw in Google Chrome's Dawn graphics component (used for GPU rendering) allows attackers to read sensitive data from a user's memory by tricking them into visiting a specially crafted webpage. The vulnerability does not enable code execution or system crashes, but confidentiality is at risk. Chrome versions prior to 149.0.7827.53 are affected.

  • CVE-2026-11007MEDIUM 6.5

    A flaw in Google Chrome's WebView on Android allows an attacker who has already compromised Chrome's renderer process to steal sensitive data from other websites. The vulnerability stems from inadequate validation of user-supplied input, making it possible for an attacker to craft a malicious webpage that leaks cross-origin information—data that should remain isolated between websites. While the attacker must first gain control of the renderer process, the subsequent data leakage requires only that a user visit a crafted page, making this a meaningful risk in multi-stage attack chains.

  • CVE-2026-11008MEDIUM 6.5

    A flaw in Google Chrome's web app installation feature fails to properly validate user input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data from other websites through a malicious webpage. The attacker would need to trick a user into visiting a crafted HTML page, but once the renderer is compromised, the vulnerability creates a pathway to leak cross-origin information that should remain isolated.

  • CVE-2026-11013MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser validates user-supplied input within its networking code. An attacker who has already compromised Chrome's renderer process—the sandboxed component that executes web content—can craft a malicious HTML page to leak sensitive data from the renderer's memory. This is a post-compromise attack vector; the attacker must first gain code execution in the renderer sandbox, but once there, they can extract information that should remain private.

  • CVE-2026-11014MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a vulnerability where insufficient policy enforcement in the extension system allows a malicious extension to circumvent Site Isolation—Chrome's security boundary that prevents one website from accessing another's data. An attacker must first convince a user to install the malicious extension, but once installed, the extension can read or modify data across websites that the user visits, potentially exposing sensitive information.

  • CVE-2026-11016MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw where insufficient validation of network input allows a remote attacker who has already compromised the browser's renderer process to bypass the same-origin policy. An attacker could craft a malicious HTML page to force the compromised renderer to access resources or data from a different origin, violating the security boundary that normally prevents cross-origin access. This requires initial renderer process compromise—the attacker cannot trigger the vulnerability from an unauthenticated network position alone.

  • CVE-2026-11017MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the Link Preview feature handles navigation restrictions. If an attacker first compromises Chrome's renderer process—the component that displays web content—they can craft a malicious HTML page to bypass restrictions that normally prevent unauthorized navigation. The vulnerability requires prior renderer compromise, limiting its immediate attack surface, but it does allow an attacker with that foothold to navigate to restricted locations without proper authorization.

  • CVE-2026-11018MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces navigation policies. An attacker can craft a malicious HTML page that, when visited, tricks Chrome into allowing navigation to restricted destinations that should normally be blocked. The vulnerability requires user interaction—a person must visit the hostile page—but no special privileges are needed on the attacker's side. The core risk is integrity: an attacker can redirect you to unwanted sites, potentially enabling phishing, malware distribution, or social engineering attacks.

  • CVE-2026-11019MEDIUM 6.5

    A vulnerability in Google Chrome's payments implementation on Android allows an attacker who has already compromised the browser's rendering engine to trick users into believing they are interacting with a legitimate website when they are actually on a fraudulent one. The attacker would craft a deceptive HTML page that spoofs the domain name displayed to the user, potentially leading to credential theft, payment fraud, or other social engineering attacks. This requires an initial compromise of the renderer process, which limits the immediate exposure but represents a serious escalation risk once that initial foothold is established.

  • CVE-2026-11020MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles extensions that process XML files. An attacker can craft a malicious XML file that, when processed by a vulnerable extension, leaks sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the user must open or interact with the malicious file—but does not require the attacker to have special privileges or bypass additional security controls. This is a cross-origin data leak, meaning information intended to be isolated between websites can be extracted by an attacker.

  • CVE-2026-11022MEDIUM 6.5

    CVE-2026-11022 is a same-origin policy bypass vulnerability in Google Chrome's DevTools that requires an attacker to have already compromised the renderer process. An attacker could then use a specially crafted HTML page to escape origin restrictions, potentially accessing or modifying data from other websites in the same browser session. This is not a remote code execution vector but rather a privilege escalation within an already-compromised rendering context.

  • CVE-2026-11023MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles web app installation that allows an attacker who has already compromised the browser's renderer process to bypass the same-origin policy. This means a specially crafted web page could be used to access or modify content from other websites in ways the browser is supposed to prevent. The attacker needs prior renderer compromise, limiting the immediate threat to users, but the bypass itself is reliable once that initial foothold exists.

  • CVE-2026-11025MEDIUM 6.5

    Google Chrome on Android contains a flaw in how it enforces content security policies (CSP) during navigation. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute unintended content within a page that should be restricted. The vulnerability requires user interaction (visiting a malicious site) and affects Chrome versions before 149.0.7827.53 on Android devices.

  • CVE-2026-11026MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how extensions are handled that allows an attacker to bypass built-in navigation restrictions. The vulnerability requires social engineering—an attacker must trick a user into installing a malicious Chrome extension. Once installed, the extension can circumvent the browser's navigation safeguards, potentially redirecting users to unintended destinations or enabling other attack chains. This is classified as a Medium severity issue by Chromium's security team.