VYPR

Vendor CVEs

Google

All CVEs

11,415 total · sorted by risk
  • CVE-2016-1628MedFeb 21, 2016
    risk 0.41cvss 6.3epss 0.02

    pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document,…

  • CVE-2026-11273MedJun 5, 2026
    risk 0.40cvss 6.1epss 0.00

    Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-11229MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Inappropriate implementation in Enterprise in Google Chrome prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via physical access to the device. (Chromium security severity: Low)

  • CVE-2026-11205MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted QR code. (Chromium security…

  • CVE-2026-11186MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11150MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11122MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11034MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Insufficient validation of untrusted input in Tab Group Sync in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium)

  • CVE-2026-10916MedJun 4, 2026
    risk 0.40cvss 6.1epss 0.00

    Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-0055MedJun 1, 2026
    risk 0.40cvss 6.2epss 0.00

    In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User…

  • CVE-2026-0046MedJun 1, 2026
    risk 0.40cvss 6.2epss 0.00

    In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

  • CVE-2026-7953MedMay 6, 2026
    risk 0.40cvss 6.1epss 0.00

    Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium)

  • CVE-2026-5899MedApr 8, 2026
    risk 0.40cvss 6.1epss 0.00

    Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-5896MedApr 8, 2026
    risk 0.40cvss 6.1epss 0.00

    Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-0049MedApr 6, 2026
    risk 0.40cvss 6.2epss 0.00

    In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-12910MedNov 8, 2025
    risk 0.40cvss 6.2epss 0.00

    Inappropriate implementation in Passkeys in Google Chrome prior to 140.0.7339.80 allowed a local attacker to obtain potentially sensitive information via debug logs. (Chromium security severity: Low)

  • CVE-2024-40664MedSep 4, 2025
    risk 0.40cvss 6.2epss 0.00

    In setupAccessibilityServices of AccessibilityFragment.java , there is a possible way to hide an enabled accessibility service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not…

  • CVE-2025-48554MedSep 4, 2025
    risk 0.40cvss 6.1epss 0.00

    In handlePackagesChanged of DevicePolicyManagerService.java, there is a possible persistent denial of service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.

  • CVE-2025-48527MedSep 4, 2025
    risk 0.40cvss 6.2epss 0.00

    In multiple locations, there is a possible way to leak hidden work profile notifications due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-26423MedSep 4, 2025
    risk 0.40cvss 6.2epss 0.00

    In validateIpConfiguration of WifiConfigurationUtil.java, there is a possible way to trigger a permanent DoS due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

  • CVE-2025-0086MedAug 26, 2025
    risk 0.40cvss 6.2epss 0.00

    In onResult of AccountManagerService.java, there is a possible way to overwrite auth token due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-6044MedJul 7, 2025
    risk 0.40cvss 6.1epss 0.00

    An Improper Access Control vulnerability in the Stylus Tools component of Google ChromeOS version 16238.64.0 on the garaged stylus devices allows a physical attacker to bypass the lock screen and access user files by removing the stylus while the device is closed and using the…

  • CVE-2018-9378MedJan 28, 2025
    risk 0.40cvss 6.2epss 0.00

    In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2024-8907MedSep 17, 2024
    risk 0.40cvss 6.1epss 0.00

    Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity:…

  • CVE-2024-32918MedJun 13, 2024
    risk 0.40cvss 6.1epss 0.00

    Permission Bypass allowing attackers to disable HDCP 2.2 encryption by not completing the HDCP Key Exchange initialization steps

  • CVE-2024-3847MedApr 17, 2024
    risk 0.40cvss 6.1epss 0.01

    Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2024-3841MedApr 17, 2024
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in Browser Switcher in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to inject scripts or HTML into a privileged page via a malicious file. (Chromium security severity: Medium)

  • CVE-2024-29754MedApr 5, 2024
    risk 0.40cvss 6.2epss 0.00

    In TMU_IPC_GET_TABLE, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2024-25984MedMar 11, 2024
    risk 0.40cvss 6.2epss 0.00

    In dumpBatteryDefend of dump_power.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2024-22007MedMar 11, 2024
    risk 0.40cvss 6.2epss 0.00

    In constraint_check of fvp.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2023-5480MedNov 1, 2023
    risk 0.40cvss 6.1epss 0.01

    Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to bypass XSS preventions via a malicious file. (Chromium security severity: High)

  • CVE-2022-3863MedJan 2, 2023
    risk 0.40cvss 6.1epss 0.00

    Use after free in Browser History in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

  • CVE-2022-0801MedJan 2, 2023
    risk 0.40cvss 6.1epss 0.01

    Inappropriate implementation in HTML parser in Google Chrome prior to 99.0.4844.51 allowed a remote attacker to bypass XSS preventions via a crafted HTML page. (Chrome security severity: Medium)

  • CVE-2022-39912MedDec 8, 2022
    risk 0.40cvss 6.2epss 0.00

    Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManagerService prior to Android T(13) allows local attackers to set some setting value in Secure folder.

  • CVE-2022-1494MedJul 26, 2022
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in Trusted Types in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to bypass trusted types policy via a crafted HTML page.

  • CVE-2022-1492MedJul 26, 2022
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in Blink Editing in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to inject arbitrary scripts or HTML via a crafted HTML page.

  • CVE-2022-1132MedJul 23, 2022
    risk 0.40cvss 6.1epss 0.00

    Inappropriate implementation in Virtual Keyboard in Google Chrome on Chrome OS prior to 100.0.4896.60 allowed a local attacker to bypass navigation restrictions via physical access to the device.

  • CVE-2021-37999MedNov 23, 2021
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in New Tab Page in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML in a new browser tab via a crafted HTML page.

  • CVE-2021-38319MedSep 9, 2021
    risk 0.40cvss 6.1epss 0.01

    The More From Google WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/morefromgoogle.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.

  • CVE-2020-16046MedJan 14, 2021
    risk 0.40cvss 6.1epss 0.01

    Script injection in iOSWeb in Google Chrome on iOS prior to 84.0.4147.105 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

  • CVE-2020-16030MedJan 8, 2021
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in Blink in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2020-6535MedJul 22, 2020
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a crafted HTML page.

  • CVE-2020-6470MedMay 21, 2020
    risk 0.40cvss 6.1epss 0.01

    Insufficient validation of untrusted input in clipboard in Google Chrome prior to 83.0.4103.61 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via crafted clipboard contents.

  • CVE-2019-13714MedNov 25, 2019
    risk 0.40cvss 6.1epss 0.01

    Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL.

  • CVE-2018-6145MedJun 27, 2019
    risk 0.40cvss 6.1epss 0.01

    Insufficient data validation in HTML parser in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

  • CVE-2018-6128MedJun 27, 2019
    risk 0.40cvss 6.1epss 0.01

    Incorrect URL parsing in WebKit in Google Chrome on iOS prior to 67.0.3396.62 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

  • CVE-2018-20071MedJan 9, 2019
    risk 0.40cvss 6.1epss 0.00

    Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page.

  • CVE-2018-16084MedJan 9, 2019
    risk 0.40cvss 6.1epss 0.01

    The default selected dialog button in CustomHandlers in Google Chrome prior to 69.0.3497.81 allowed a remote attacker who convinced the user to perform certain operations to open external programs via a crafted HTML page.

  • CVE-2018-20524MedDec 27, 2018
    risk 0.40cvss 6.1epss 0.01

    The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of < in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy (CSP).

  • CVE-2018-6081MedNov 14, 2018
    risk 0.40cvss 6.1epss 0.01

    XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension or open Developer Console to inject arbitrary scripts or HTML via a crafted HTML page.

Page 138 of 229