VYPR

Vendor CVEs

Yandex

All CVEs

35 total · sorted by risk
  • CVE-2021-43766HigAug 25, 2022
    risk 0.53cvss 8.1epss 0.00

    Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL…

  • CVE-2023-29749HigJun 9, 2023
    risk 0.51cvss 7.8epss 0.00

    An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

  • CVE-2022-28226HigJun 15, 2022
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update…

  • CVE-2022-28225HigJun 15, 2022
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.

  • CVE-2021-25261HigJun 15, 2022
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.

  • CVE-2021-25263HigAug 17, 2021
    risk 0.51cvss 7.8epss 0.00

    Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.

  • CVE-2017-7327HigJan 19, 2018
    risk 0.51cvss 7.8epss 0.01

    Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.

  • CVE-2017-7326HigJan 19, 2018
    risk 0.49cvss 7.5epss 0.01

    Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page

  • CVE-2017-7325HigJan 19, 2018
    risk 0.49cvss 7.5epss 0.01

    Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.

  • CVE-2016-8503HigOct 26, 2016
    risk 0.48cvss 7.3epss 0.01

    Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 16.7 to 16.9 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

  • CVE-2016-8502HigOct 26, 2016
    risk 0.48cvss 7.3epss 0.01

    Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 15.12.0 to 16.2 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

  • CVE-2025-5470HigDec 9, 2025
    risk 0.47cvss epss 0.00

    Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking.This issue affects Disk: before 3.2.45.3275.

  • CVE-2025-5469HigDec 9, 2025
    risk 0.47cvss epss 0.00

    Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.245

  • CVE-2020-27969HigSep 13, 2021
    risk 0.47cvss 7.3epss 0.01

    Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing

  • CVE-2016-8508MedMar 1, 2017
    risk 0.42cvss 6.5epss 0.02

    Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site.

  • CVE-2016-8507MedMar 1, 2017
    risk 0.42cvss 6.5epss 0.02

    Yandex Browser for iOS before 16.10.0.2357 does not properly restrict processing of facetime:// URLs, which allows remote attackers to initiate facetime-call without user's approval and obtain video and audio data from a device via a crafted web site.

  • CVE-2016-8506MedOct 26, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code.

  • CVE-2016-8505MedOct 26, 2016
    risk 0.40cvss 6.1epss 0.01

    XSS in Yandex Browser BookReader in Yandex browser for desktop for versions before 16.6. could be used by remote attacker for evaluation arbitrary javascript code.

  • CVE-2025-48352MedAug 28, 2025
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger yandex-pinger allows Stored XSS.This issue affects Yandex Site search pinger: from n/a through <= 1.5.

  • CVE-2021-43767MedAug 25, 2022
    risk 0.38cvss 5.9epss 0.00

    Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses…

  • CVE-2020-27970MedSep 13, 2021
    risk 0.35cvss 5.3epss 0.01

    Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar

  • CVE-2016-8501MedOct 26, 2016
    risk 0.35cvss 5.3epss 0.01

    Security WiFi bypass in Yandex Browser from version 15.10 to 15.12 allows remote attacker to sniff traffic in open or WEP-protected wi-fi networks despite of special security mechanism is enabled.

  • CVE-2020-7371MedOct 20, 2020
    risk 0.28cvss 4.3epss 0.01

    User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions.

  • CVE-2020-7369MedOct 20, 2020
    risk 0.28cvss 4.3epss 0.01

    User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and…

  • CVE-2016-8504MedOct 26, 2016
    risk 0.28cvss 4.3epss 0.01

    CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile.

  • CVE-2012-2941May 27, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in search/ in Yandex.Server 2010 9.0 Enterprise allows remote attackers to inject arbitrary web script or HTML via the text parameter.

  • CVE-2026-25865Jun 18, 2026
    risk 0.00cvss epss 0.00

    Punto Switcher through 4.5.0.583 contains an unquoted search path element vulnerability that allows local attackers to execute arbitrary code by exploiting the application's call to WinExec without a fully qualified path for RunDll32.exe when invoking shell32.dll Control_RunDLL…

  • CVE-2025-5471Dec 9, 2025
    risk 0.00cvss epss 0.00

    Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking.This issue affects Telemost: before 2.19.1.

  • CVE-2024-12168Jun 2, 2025
    risk 0.00cvss epss 0.00

    Yandex Telemost for Desktop before 2.7.0 has a DLL Hijacking Vulnerability because an untrusted search path is used.

  • CVE-2023-26226May 30, 2025
    risk 0.00cvss epss 0.00

    A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682

  • CVE-2021-25262May 21, 2025
    risk 0.00cvss epss 0.00

    Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.

  • CVE-2021-25255May 21, 2025
    risk 0.00cvss epss 0.01

    Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.

  • CVE-2021-25254May 21, 2025
    risk 0.00cvss epss 0.00

    Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.

  • CVE-2024-6473Sep 3, 2024
    risk 0.00cvss epss 0.01

    Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.

  • CVE-2007-3485Jun 28, 2007
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Yandex.Server allow remote attackers to inject arbitrary web script or HTML via the (1) query or (2) within parameter to the default URI.