Vendor CVEs
All CVEs
11,367 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2500 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2016 | Activity Manager in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 does not properly terminate process groups, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 19285814. | ||
| CVE-2016-2499 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2016 | AudioSource.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 does not initialize certain data, which allows attackers to obtain sensitive information via a crafted application, aka internal bug… | ||
| CVE-2016-2498 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2016 | The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (2013) devices allows attackers to bypass intended data-access restrictions via a crafted application, aka internal bug 27777162. | ||
| CVE-2016-2495 | Med | 0.36 | 5.5 | 0.01 | Jun 13, 2016 | SampleTable.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 allows remote attackers to cause a denial of service (device hang or reboot) via a crafted file, aka internal bug 28076789. | ||
| CVE-2016-2460 | Med | 0.36 | 5.5 | 0.00 | May 9, 2016 | mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, related to IGraphicBufferConsumer.cpp and… | ||
| CVE-2016-2459 | Med | 0.36 | 5.5 | 0.00 | May 9, 2016 | mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, related to IGraphicBufferConsumer.cpp and… | ||
| CVE-2016-2458 | Med | 0.36 | 5.5 | 0.00 | May 9, 2016 | The compose functionality in AOSP Mail in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not properly restrict attachments, which allows attackers to obtain sensitive information via a crafted application, related to ComposeActivity.java and… | ||
| CVE-2016-2457 | Med | 0.36 | 5.5 | 0.00 | May 9, 2016 | server/pm/UserManagerService.java in Wi-Fi in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 allows attackers to bypass intended restrictions on Wi-Fi configuration changes by leveraging guest access, aka internal bug 27411179. | ||
| CVE-2016-2454 | Med | 0.36 | 5.5 | 0.00 | May 9, 2016 | The Qualcomm hardware video codec in Android before 2016-05-01 on Nexus 5 devices allows remote attackers to cause a denial of service (reboot) via a crafted file, aka internal bug 26221024. | ||
| CVE-2016-2427 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2016 | The AES-GCM specification in RFC 5084, as used in Android 5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application,… | ||
| CVE-2016-2426 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2016 | server/content/ContentService.java in the Framework component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a GET_ACCOUNTS permission, which allows attackers to obtain sensitive information via a crafted… | ||
| CVE-2016-2425 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2016 | mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 supports file:///data attachments, which allows attackers to obtain sensitive information via a crafted application, aka internal bugs… | ||
| CVE-2016-2424 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2016 | server/content/SyncStorageEngine.java in SyncStorageEngine in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mismanages certain authority data, which allows attackers to cause a denial of service (reboot loop) via a crafted… | ||
| CVE-2016-2415 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2016 | exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to… | ||
| CVE-2016-0831 | Med | 0.36 | 5.5 | 0.00 | Mar 12, 2016 | The getDeviceIdForPhone function in internal/telephony/PhoneSubInfoController.java in Telephony in Android 5.x before 5.1.1 LMY49H and 6.x before 2016-03-01 does not check for the READ_PHONE_STATE permission, which allows attackers to obtain sensitive information via a crafted… | ||
| CVE-2026-11701 | Med | 0.35 | 5.4 | 0.00 | Jun 9, 2026 | Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11666 | Med | 0.35 | 5.4 | 0.00 | Jun 9, 2026 | Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2026-11243 | Med | 0.35 | 5.4 | 0.00 | Jun 5, 2026 | Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-11232 | Med | 0.35 | 5.4 | 0.00 | Jun 4, 2026 | Inappropriate implementation in TabGroups in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low) | ||
| CVE-2026-11157 | Med | 0.35 | 5.4 | 0.00 | Jun 4, 2026 | Script injection in Accessibility in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2026-10984 | Med | 0.35 | 5.4 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2026-9971 | Med | 0.35 | 5.4 | 0.00 | May 28, 2026 | Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2026-8561 | Med | 0.35 | 5.4 | 0.00 | May 14, 2026 | Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-8539 | Med | 0.35 | 5.4 | 0.00 | May 14, 2026 | Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2026-8019 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-8015 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-8012 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-8008 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | ||
| CVE-2026-8006 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | ||
| CVE-2026-8003 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low) | ||
| CVE-2026-7998 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-7962 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2026-7958 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2026-7950 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Medium) | ||
| CVE-2026-7939 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-7935 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-7931 | Med | 0.35 | 5.4 | 0.00 | May 6, 2026 | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-5895 | Med | 0.35 | 5.4 | 0.00 | Apr 8, 2026 | Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low) | ||
| CVE-2025-6557 | Med | 0.35 | 5.4 | 0.00 | Jun 24, 2025 | Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2025-6556 | Med | 0.35 | 5.4 | 0.00 | Jun 24, 2025 | Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2025-6555 | Med | 0.35 | 5.4 | 0.00 | Jun 24, 2025 | Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2025-5981 | Med | 0.35 | 6.5 | 0.00 | Jun 18, 2025 | Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images. | ||
| CVE-2025-5283 | Med | 0.35 | 5.4 | 0.00 | May 27, 2025 | Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2025-5281 | Med | 0.35 | 5.4 | 0.00 | May 27, 2025 | Inappropriate implementation in BFCache in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially obtain user information via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2025-5067 | Med | 0.35 | 5.4 | 0.00 | May 27, 2025 | Inappropriate implementation in Tab Strip in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2025-5064 | Med | 0.35 | 5.4 | 0.00 | May 27, 2025 | Inappropriate implementation in Background Fetch API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2025-3074 | Med | 0.35 | 5.4 | 0.00 | Apr 2, 2025 | Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2025-3073 | Med | 0.35 | 5.4 | 0.00 | Apr 2, 2025 | Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2025-3072 | Med | 0.35 | 5.4 | 0.00 | Apr 2, 2025 | Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2025-3071 | Med | 0.35 | 5.4 | 0.00 | Apr 2, 2025 | Inappropriate implementation in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) |
- risk 0.36cvss 5.5epss 0.00
Activity Manager in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 does not properly terminate process groups, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 19285814.
- risk 0.36cvss 5.5epss 0.00
AudioSource.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 does not initialize certain data, which allows attackers to obtain sensitive information via a crafted application, aka internal bug…
- risk 0.36cvss 5.5epss 0.00
The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (2013) devices allows attackers to bypass intended data-access restrictions via a crafted application, aka internal bug 27777162.
- risk 0.36cvss 5.5epss 0.01
SampleTable.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 allows remote attackers to cause a denial of service (device hang or reboot) via a crafted file, aka internal bug 28076789.
- risk 0.36cvss 5.5epss 0.00
mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, related to IGraphicBufferConsumer.cpp and…
- risk 0.36cvss 5.5epss 0.00
mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, related to IGraphicBufferConsumer.cpp and…
- risk 0.36cvss 5.5epss 0.00
The compose functionality in AOSP Mail in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not properly restrict attachments, which allows attackers to obtain sensitive information via a crafted application, related to ComposeActivity.java and…
- risk 0.36cvss 5.5epss 0.00
server/pm/UserManagerService.java in Wi-Fi in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 allows attackers to bypass intended restrictions on Wi-Fi configuration changes by leveraging guest access, aka internal bug 27411179.
- risk 0.36cvss 5.5epss 0.00
The Qualcomm hardware video codec in Android before 2016-05-01 on Nexus 5 devices allows remote attackers to cause a denial of service (reboot) via a crafted file, aka internal bug 26221024.
- risk 0.36cvss 5.5epss 0.00
The AES-GCM specification in RFC 5084, as used in Android 5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application,…
- risk 0.36cvss 5.5epss 0.00
server/content/ContentService.java in the Framework component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a GET_ACCOUNTS permission, which allows attackers to obtain sensitive information via a crafted…
- risk 0.36cvss 5.5epss 0.00
mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 supports file:///data attachments, which allows attackers to obtain sensitive information via a crafted application, aka internal bugs…
- risk 0.36cvss 5.5epss 0.00
server/content/SyncStorageEngine.java in SyncStorageEngine in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mismanages certain authority data, which allows attackers to cause a denial of service (reboot loop) via a crafted…
- risk 0.36cvss 5.5epss 0.00
exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to…
- risk 0.36cvss 5.5epss 0.00
The getDeviceIdForPhone function in internal/telephony/PhoneSubInfoController.java in Telephony in Android 5.x before 5.1.1 LMY49H and 6.x before 2016-03-01 does not check for the READ_PHONE_STATE permission, which allows attackers to obtain sensitive information via a crafted…
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in TabGroups in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Script injection in Accessibility in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
- risk 0.35cvss 5.4epss 0.00
Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
- risk 0.35cvss 5.4epss 0.00
Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 6.5epss 0.00
Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.
- risk 0.35cvss 5.4epss 0.00
Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in BFCache in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially obtain user information via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Tab Strip in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Background Fetch API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
- risk 0.35cvss 5.4epss 0.00
Inappropriate implementation in Navigations in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Page 154 of 228