Chrome
by Google
Source repositories
CVEs (5,374)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-1676 | Med | 0.37 | 5.4 | 0.19 | Feb 21, 2024 | Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2018-6171 | Med | 0.37 | 5.7 | 0.00 | Jun 27, 2019 | Use after free in Bluetooth in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. | ||
| CVE-2018-18358 | Med | 0.37 | 5.7 | 0.00 | Dec 11, 2018 | Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an attacker on the local network segment to proxy resources on localhost via a crafted WPAD file. | ||
| CVE-2017-5042 | Med | 0.37 | 5.7 | 0.00 | Apr 24, 2017 | Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies… | ||
| CVE-2026-8586 | Med | 0.36 | 5.5 | 0.00 | May 14, 2026 | Inappropriate implementation in Chromoting in Google Chrome prior to 148.0.7778.168 allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: Medium) | ||
| CVE-2025-12439 | Med | 0.36 | 5.5 | 0.00 | Nov 10, 2025 | Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | ||
| CVE-2024-3838 | Med | 0.36 | 5.5 | 0.00 | Apr 17, 2024 | Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed an attacker who convinced a user to install a malicious app to perform UI spoofing via a crafted app. (Chromium security severity: Medium) | ||
| CVE-2021-37996 | Med | 0.36 | 5.5 | 0.01 | Nov 2, 2021 | Insufficient validation of untrusted input Downloads in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a malicious file. | ||
| CVE-2021-37990 | Med | 0.36 | 5.5 | 0.01 | Nov 2, 2021 | Inappropriate implementation in WebView in Google Chrome on Android prior to 95.0.4638.54 allowed a remote attacker to leak cross-origin data via a crafted app. | ||
| CVE-2021-21219 | Med | 0.36 | 5.5 | 0.01 | Apr 26, 2021 | Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | ||
| CVE-2021-21218 | Med | 0.36 | 5.5 | 0.01 | Apr 26, 2021 | Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | ||
| CVE-2021-21217 | Med | 0.36 | 5.5 | 0.02 | Apr 26, 2021 | Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | ||
| CVE-2020-15989 | Med | 0.36 | 5.5 | 0.01 | Nov 3, 2020 | Uninitialized data in PDFium in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | ||
| CVE-2019-5868 | Med | 0.36 | 5.5 | 0.01 | Nov 25, 2019 | Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | ||
| CVE-2019-5860 | Med | 0.36 | 5.5 | 0.01 | Nov 25, 2019 | Use after free in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | ||
| CVE-2019-13707 | Med | 0.36 | 5.5 | 0.00 | Nov 25, 2019 | Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application. | ||
| CVE-2018-20073 | Med | 0.36 | 5.5 | 0.00 | Jun 27, 2019 | Use of extended attributes in downloads in Google Chrome prior to 72.0.3626.81 allowed a local attacker to read download URLs via the filesystem. | ||
| CVE-2019-5804 | Med | 0.36 | 5.5 | 0.00 | May 23, 2019 | Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name. | ||
| CVE-2019-5765 | Med | 0.36 | 5.5 | 0.01 | Feb 19, 2019 | An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent. | ||
| CVE-2018-6147 | Med | 0.36 | 5.5 | 0.00 | Jan 9, 2019 | Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process. |
- risk 0.37cvss 5.4epss 0.19
Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low)
- risk 0.37cvss 5.7epss 0.00
Use after free in Bluetooth in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.
- risk 0.37cvss 5.7epss 0.00
Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an attacker on the local network segment to proxy resources on localhost via a crafted WPAD file.
- risk 0.37cvss 5.7epss 0.00
Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies…
- risk 0.36cvss 5.5epss 0.00
Inappropriate implementation in Chromoting in Google Chrome prior to 148.0.7778.168 allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: Medium)
- risk 0.36cvss 5.5epss 0.00
Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)
- risk 0.36cvss 5.5epss 0.00
Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed an attacker who convinced a user to install a malicious app to perform UI spoofing via a crafted app. (Chromium security severity: Medium)
- risk 0.36cvss 5.5epss 0.01
Insufficient validation of untrusted input Downloads in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a malicious file.
- risk 0.36cvss 5.5epss 0.01
Inappropriate implementation in WebView in Google Chrome on Android prior to 95.0.4638.54 allowed a remote attacker to leak cross-origin data via a crafted app.
- risk 0.36cvss 5.5epss 0.01
Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.
- risk 0.36cvss 5.5epss 0.01
Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.
- risk 0.36cvss 5.5epss 0.02
Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.
- risk 0.36cvss 5.5epss 0.01
Uninitialized data in PDFium in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.
- risk 0.36cvss 5.5epss 0.01
Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
- risk 0.36cvss 5.5epss 0.01
Use after free in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
- risk 0.36cvss 5.5epss 0.00
Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application.
- risk 0.36cvss 5.5epss 0.00
Use of extended attributes in downloads in Google Chrome prior to 72.0.3626.81 allowed a local attacker to read download URLs via the filesystem.
- risk 0.36cvss 5.5epss 0.00
Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name.
- risk 0.36cvss 5.5epss 0.01
An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.
- risk 0.36cvss 5.5epss 0.00
Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process.
Page 151 of 269