VYPR

Vendor CVEs

Google

All CVEs

11,411 total · sorted by risk
  • CVE-2017-15429MedAug 28, 2018
    risk 0.40cvss 6.1epss 0.01

    Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2017-15427MedAug 28, 2018
    risk 0.40cvss 6.1epss 0.01

    Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar.

  • CVE-2017-13290MedApr 4, 2018
    risk 0.40cvss 6.2epss 0.00

    In sdp_server_handle_client_req of sdp_server.cc, there is an out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android.…

  • CVE-2017-5085MedOct 27, 2017
    risk 0.40cvss 6.1epss 0.01

    Inappropriate implementation in Bookmarks in Google Chrome prior to 59 for iOS allowed a remote attacker who convinced the user to perform certain operations to run JavaScript on chrome:// pages via a crafted bookmark.

  • CVE-2017-5069MedOct 27, 2017
    risk 0.40cvss 6.1epss 0.01

    Incorrect MIME type of XSS-Protection reports in Blink in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac, and 58.0.3029.83 for Android, allowed a remote attacker to circumvent Cross-Origin Resource Sharing checks via a crafted HTML page.

  • CVE-2017-11593MedJul 24, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus extension before 0.5.7 for Chrome allows remote attackers to inject arbitrary web script or HTML into some web applications via the upload and display of crafted text, markdown, or rst files that are designed…

  • CVE-2016-10398MedJul 17, 2017
    risk 0.40cvss 6.2epss 0.00

    Android 6.0 has an authentication bypass for attackers with root and physical access. Cryptographic authentication tokens (AuthTokens) used by the Trusted Execution Environment (TEE) are protected by a weak challenge. This allows adversaries to replay previously captured…

  • CVE-2017-5045MedApr 24, 2017
    risk 0.40cvss 6.1epss 0.01

    XSS Auditor in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed detection of a blocked iframe load, which allowed a remote attacker to brute force JavaScript variables via a crafted HTML page.

  • CVE-2017-5020MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.02

    Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to require a user gesture for powerful download operations, which allowed a remote attacker who convinced a user to install a malicious extension to execute arbitrary code via a…

  • CVE-2017-5018MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML…

  • CVE-2017-5010MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, resolved promises in an inappropriate context, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2017-5008MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed attacker controlled JavaScript to be run during the invocation of a private script method, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS)…

  • CVE-2017-5007MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.02

    Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2017-5006MedFeb 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled object owner relationships, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2016-5226MedJan 19, 2017
    risk 0.40cvss 6.1epss 0.01

    Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac executed javascript: URLs entered in the URL bar in the context of the current tab, which allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar.

  • CVE-2016-5208MedJan 19, 2017
    risk 0.40cvss 6.1epss 0.01

    Blink in Google Chrome prior to 55.0.2883.75 for Linux and Windows, and 55.0.2883.84 for Android allowed possible corruption of the DOM tree during synchronous event handling, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2016-5207MedJan 19, 2017
    risk 0.40cvss 6.1epss 0.02

    In Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android, corruption of the DOM tree could occur during the removal of a full screen element, which allowed a remote attacker to achieve arbitrary code execution via a crafted HTML…

  • CVE-2016-5205MedJan 19, 2017
    risk 0.40cvss 6.1epss 0.01

    Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac, incorrectly handles deferred page loads, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2016-5204MedJan 19, 2017
    risk 0.40cvss 6.1epss 0.01

    Leaking of an SVG shadow tree leading to corruption of the DOM tree in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

  • CVE-2016-5191MedDec 18, 2016
    risk 0.40cvss 6.1epss 0.02

    Bookmark handling in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android had insufficient validation of supplied data, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via crafted HTML pages, as demonstrated by an…

  • CVE-2016-5181MedDec 18, 2016
    risk 0.40cvss 6.1epss 0.02

    Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted execution of v8 microtasks while the DOM was in an inconsistent state, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via crafted HTML pages.

  • CVE-2015-8955HigOct 10, 2016
    risk 0.40cvss 7.3epss 0.00

    arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.

  • CVE-2016-5165MedSep 11, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Developer Tools (aka DevTools) subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux allows remote attackers to inject arbitrary web script or HTML via the settings parameter in a…

  • CVE-2016-5164MedSep 11, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in WebKit/Source/platform/v8_inspector/V8Debugger.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML into the…

  • CVE-2016-5148MedSep 11, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML via vectors related to widget updates, aka "Universal XSS (UXSS)."

  • CVE-2016-5147MedSep 11, 2016
    risk 0.40cvss 6.1epss 0.01

    Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles deferred page loads, which allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)."

  • CVE-2016-1682MedJun 5, 2016
    risk 0.40cvss 6.1epss 0.01

    The ServiceWorkerContainer::registerServiceWorkerImpl function in WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp in Blink, as used in Google Chrome before 51.0.2704.63, allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via…

  • CVE-2016-1652MedApr 18, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the Extensions subsystem in Google Chrome before 50.0.2661.75 allows remote attackers to inject arbitrary web script or HTML via a crafted web…

  • CVE-2016-2423MedApr 18, 2016
    risk 0.40cvss 6.1epss 0.00

    server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset…

  • CVE-2016-2421MedApr 18, 2016
    risk 0.40cvss 6.1epss 0.00

    Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26154410.

  • CVE-2016-2414MedApr 18, 2016
    risk 0.40cvss 6.2epss 0.00

    The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider negative size values in font data, which allows remote attackers to cause a denial of service (memory corruption and reboot loop) via a crafted font, aka…

  • CVE-2016-0832MedMar 12, 2016
    risk 0.40cvss 6.1epss 0.00

    Setup Wizard in Android 5.1.x before LMY49H and 6.x before 2016-03-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 25955042.

  • CVE-2016-0813MedFeb 7, 2016
    risk 0.40cvss 6.1epss 0.00

    packages/SystemUI/src/com/android/systemui/recents/AlternateRecentsComponent.java in Setup Wizard in Android 5.1.x before 5.1.1 LMY49G and 6.x before 2016-02-01 does not properly check for device provisioning, which allows physically proximate attackers to bypass the Factory…

  • CVE-2016-0812MedFeb 7, 2016
    risk 0.40cvss 6.1epss 0.00

    The interceptKeyBeforeDispatching function in policy/src/com/android/internal/policy/impl/PhoneWindowManager.java in Setup Wizard in Android 5.1.x before 5.1.1 LMY49G and 6.0 before 2016-02-01 does not properly check for setup completion, which allows physically proximate…

  • CVE-2016-0808MedFeb 7, 2016
    risk 0.40cvss 6.2epss 0.00

    Integer overflow in the getCoverageFormat12 function in CmapCoverage.cpp in the Minikin library in Android 5.x before 5.1.1 LMY49G and 6.x before 2016-02-01 allows attackers to cause a denial of service (continuous rebooting) via an application that triggers loading of a crafted…

  • CVE-2015-6646MedJan 6, 2016
    risk 0.40cvss 6.2epss 0.01

    The System V IPC implementation in the kernel in Android before 6.0 2016-01-01 allows attackers to cause a denial of service (global kernel resource consumption) by leveraging improper interaction between IPC resource allocation and the memory manager, aka internal bug 22300191,…

  • CVE-2007-3484MedJun 28, 2007
    risk 0.40cvss 6.1epss 0.00

    Cross-site scripting (XSS) vulnerability in search.php in Google Custom Search Engine allows remote attackers to inject arbitrary web script or HTML via the q parameter. NOTE: this issue is disputed by the Google Security Team, who states that "Google does not provide the…

  • CVE-2026-53131modJun 25, 2026
    risk 0.39cvss 7.0epss 0.00

    kernel: netfilter: require Ethernet MAC header before using eth_hdr()

  • CVE-2026-52940modJun 24, 2026
    risk 0.39cvss 7.0epss 0.00

    kernel: tun: zero the whole vnet header in tun_put_user()

  • CVE-2026-52935modJun 24, 2026
    risk 0.39cvss 7.0epss 0.00

    kernel: xfrm: espintcp: do not reuse an in-progress partial send

  • CVE-2026-52920modJun 24, 2026
    risk 0.39cvss 7.0epss 0.00

    kernel: netfilter: xt_policy: fix strict mode inbound policy matching

  • CVE-2026-46322HigJun 9, 2026
    risk 0.39cvss 7.1epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: tun: free page on build_skb failure in tun_xdp_one() When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that…

  • CVE-2026-46321HigJun 9, 2026
    risk 0.39cvss 7.1epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg()…

  • CVE-2020-24722MedOct 7, 2020
    risk 0.39cvss 5.9epss 0.02

    An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping to amplify a contamination attack.…

  • CVE-2020-0009MedJan 8, 2020
    risk 0.39cvss 5.5epss 0.01

    In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is…

  • CVE-2015-9016HigApr 5, 2018
    risk 0.39cvss 7.0epss 0.00

    In blk_mq_tag_to_rq in blk-mq.c in the upstream kernel, there is a possible use after free due to a race condition when a request has been previously freed by blk_mq_complete_request. This could lead to local escalation of privilege. Product: Android. Versions: Android kernel.…

  • CVE-2015-7889MedDec 28, 2017
    risk 0.39cvss 5.5epss 0.02

    The SecEmailComposer/EmailComposer application in the Samsung S6 Edge before the October 2015 MR uses weak permissions for the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND service action, which might allow remote attackers with knowledge of the local email…

  • CVE-2014-9940HigMay 2, 2017
    risk 0.39cvss 7.0epss 0.02

    The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.

  • CVE-2016-10200HigMar 7, 2017
    risk 0.39cvss 7.0epss 0.00

    Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED…

  • CVE-2016-6689MedOct 10, 2016
    risk 0.39cvss 5.5epss 0.02

    Binder in the kernel in Android before 2016-10-05 on Nexus devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30768347.

Page 139 of 229