VYPR
Vendor

Yandex

Products
15
CVEs
35
Across products
49
Status
Private

Products

15

Recent CVEs

35
View all 35 CVEs →
  • CVE-2021-43766HigAug 25, 2022
    risk 0.53cvss 8.1epss 0.00

    Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL…

  • CVE-2023-29749HigJun 9, 2023
    risk 0.51cvss 7.8epss 0.00

    An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

  • CVE-2022-28226HigJun 15, 2022
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update…

  • CVE-2022-28225HigJun 15, 2022
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.

  • CVE-2021-25261HigJun 15, 2022
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.

  • CVE-2021-25263HigAug 17, 2021
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.

  • CVE-2017-7327HigJan 19, 2018
    risk 0.51cvss 7.8epss 0.01

    Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.

  • CVE-2017-7326HigJan 19, 2018
    risk 0.49cvss 7.5epss 0.01

    Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page

  • CVE-2017-7325HigJan 19, 2018
    risk 0.49cvss 7.5epss 0.01

    Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.

  • CVE-2016-8503HigOct 26, 2016
    risk 0.48cvss 7.3epss 0.01

    Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 16.7 to 16.9 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

  • CVE-2016-8502HigOct 26, 2016
    risk 0.48cvss 7.3epss 0.01

    Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 15.12.0 to 16.2 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

  • CVE-2025-5470HigDec 9, 2025
    risk 0.47cvss epss 0.00

    Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275.

  • CVE-2025-5469HigDec 9, 2025
    risk 0.47cvss epss 0.00

    Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245

  • CVE-2020-27969HigSep 13, 2021
    risk 0.47cvss 7.3epss 0.01

    Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing

  • CVE-2016-8508MedMar 1, 2017
    risk 0.42cvss 6.5epss 0.02

    Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site.

  • CVE-2016-8507MedMar 1, 2017
    risk 0.42cvss 6.5epss 0.02

    Yandex Browser for iOS before 16.10.0.2357 does not properly restrict processing of facetime:// URLs, which allows remote attackers to initiate facetime-call without user's approval and obtain video and audio data from a device via a crafted web site.

  • CVE-2016-8506MedOct 26, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code.

  • CVE-2016-8505MedOct 26, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS in Yandex Browser BookReader in Yandex browser for desktop for versions before 16.6. could be used by remote attacker for evaluation arbitrary javascript code.

  • CVE-2025-48352MedAug 28, 2025
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger yandex-pinger allows Stored XSS.This issue affects Yandex Site search pinger: from n/a through <= 1.5.

  • CVE-2021-43767MedAug 25, 2022
    risk 0.38cvss 5.9epss 0.00

    Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses…